Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TM-949: Add back lambda function to delete snapshots #9548

Open
wants to merge 9 commits into
base: main
Choose a base branch
from
Open

TM-949: Add back lambda function to delete snapshots #9548

wants to merge 9 commits into from

Conversation

vc13837
Copy link
Contributor

@vc13837 vc13837 commented Feb 4, 2025

No description provided.

@vc13837 vc13837 requested review from a team as code owners February 4, 2025 11:14
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Feb 4, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T11:16:59Z INFO [vulndb] Need to update DB
2025-02-04T11:16:59Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T11:16:59Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T11:17:01Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T11:17:01Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T11:17:01Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T11:17:01Z INFO [misconfig] Need to update the built-in checks
2025-02-04T11:17:01Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T11:17:01Z INFO [secret] Secret scanning is enabled
2025-02-04T11:17:01Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T11:17:01Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T11:17:02Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T11:17:02Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T11:17:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T11:17:03Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T11:17:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T11:17:03Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T11:17:05Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T11:17:05Z INFO Number of language-specific files num=0
2025-02-04T11:17:05Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195
via database.tf:194-196 (metadata_options)
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
195 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:183-212
────────────────────────────────────────
183 ┌ resource "aws_instance" "database" {
184 │ ami = local.application_data.accounts[local.environment].db_ami_id
185 │ availability_zone = "eu-west-2a"
186 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
187 │ monitoring = true
188 │ vpc_security_group_ids = [aws_security_group.database.id]
189 │ subnet_id = data.aws_subnet.data_subnets_a.id
190 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
191 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 11:17:08,171 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 11:17:08,171 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 11:17:08,172 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 413, Failed checks: 53, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:DeleteSnapshot",
		44 |                 "ec2:DescribeSnapshots"
		45 |             ],
		46 |             "Resource": "*",
		47 |             "Effect": "Allow"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:DeleteSnapshot",
		44 |                 "ec2:DescribeSnapshots"
		45 |             ],
		46 |             "Resource": "*",
		47 |             "Effect": "Allow"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:124-141
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		124 | resource "aws_security_group" "backup_lambda" {
		125 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		126 |   description = "Bakcup Lambda Security Group"
		127 |   vpc_id      = data.aws_vpc.shared.id
		128 | 
		129 |   egress {
		130 |     description = "outbound access"
		131 |     from_port   = 0
		132 |     to_port     = 0
		133 |     protocol    = "-1"
		134 |     cidr_blocks = ["0.0.0.0/0"]
		135 |   }
		136 | 
		137 |   tags = merge(
		138 |     local.tags,
		139 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		140 |   )
		141 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:143-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		143 | resource "aws_lambda_function" "delete_db_snapshots" {
		144 | 
		145 |   description      = "Clean up script to delete old unused snapshots"
		146 |   function_name    = "deletesnapshotFunction"
		147 |   role             = aws_iam_role.backup_lambda.arn
		148 |   handler          = "deletesnapshots.lambda_handler"
		149 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		150 |   runtime          = "python3.8"
		151 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		152 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		153 |   memory_size      = 3000
		154 |   timeout          = 900
		155 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		156 | 
		157 |   vpc_config {
		158 |     security_group_ids = [aws_security_group.backup_lambda.id]
		159 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		160 |   }
		161 |   tags = merge(
		162 |     local.tags,
		163 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		164 |   )
		165 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:143-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		143 | resource "aws_lambda_function" "delete_db_snapshots" {
		144 | 
		145 |   description      = "Clean up script to delete old unused snapshots"
		146 |   function_name    = "deletesnapshotFunction"
		147 |   role             = aws_iam_role.backup_lambda.arn
		148 |   handler          = "deletesnapshots.lambda_handler"
		149 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		150 |   runtime          = "python3.8"
		151 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		152 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		153 |   memory_size      = 3000
		154 |   timeout          = 900
		155 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		156 | 
		157 |   vpc_config {
		158 |     security_group_ids = [aws_security_group.backup_lambda.id]
		159 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		160 |   }
		161 |   tags = merge(
		162 |     local.tags,
		163 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		164 |   )
		165 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:143-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		143 | resource "aws_lambda_function" "delete_db_snapshots" {
		144 | 
		145 |   description      = "Clean up script to delete old unused snapshots"
		146 |   function_name    = "deletesnapshotFunction"
		147 |   role             = aws_iam_role.backup_lambda.arn
		148 |   handler          = "deletesnapshots.lambda_handler"
		149 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		150 |   runtime          = "python3.8"
		151 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		152 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		153 |   memory_size      = 3000
		154 |   timeout          = 900
		155 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		156 | 
		157 |   vpc_config {
		158 |     security_group_ids = [aws_security_group.backup_lambda.id]
		159 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		160 |   }
		161 |   tags = merge(
		162 |     local.tags,
		163 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		164 |   )
		165 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:143-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		143 | resource "aws_lambda_function" "delete_db_snapshots" {
		144 | 
		145 |   description      = "Clean up script to delete old unused snapshots"
		146 |   function_name    = "deletesnapshotFunction"
		147 |   role             = aws_iam_role.backup_lambda.arn
		148 |   handler          = "deletesnapshots.lambda_handler"
		149 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		150 |   runtime          = "python3.8"
		151 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		152 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		153 |   memory_size      = 3000
		154 |   timeout          = 900
		155 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		156 | 
		157 |   vpc_config {
		158 |     security_group_ids = [aws_security_group.backup_lambda.id]
		159 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		160 |   }
		161 |   tags = merge(
		162 |     local.tags,
		163 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		164 |   )
		165 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:410-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		410 | resource "aws_ebs_volume" "oradata" {
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-database-oradata" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:434-450
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		434 | resource "aws_ebs_volume" "oracle" {
		435 |   availability_zone = "eu-west-2a"
		436 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		437 |   type              = "gp2"
		438 |   encrypted         = true
		439 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		440 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		441 | 
		442 |   lifecycle {
		443 |     ignore_changes = [kms_key_id]
		444 |   }
		445 | 
		446 |   tags = merge(
		447 |     local.tags,
		448 |     { "Name" = "${local.application_name_short}-database-oracle" },
		449 |   )
		450 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:458-474
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		458 | resource "aws_ebs_volume" "oraarch" {
		459 |   availability_zone = "eu-west-2a"
		460 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		461 |   type              = "gp2"
		462 |   encrypted         = true
		463 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		464 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		465 | 
		466 |   lifecycle {
		467 |     ignore_changes = [kms_key_id]
		468 |   }
		469 | 
		470 |   tags = merge(
		471 |     local.tags,
		472 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		473 |   )
		474 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:482-498
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		482 | resource "aws_ebs_volume" "oratmp" {
		483 |   availability_zone = "eu-west-2a"
		484 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		485 |   type              = "gp2"
		486 |   encrypted         = true
		487 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		488 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		489 | 
		490 |   lifecycle {
		491 |     ignore_changes = [kms_key_id]
		492 |   }
		493 | 
		494 |   tags = merge(
		495 |     local.tags,
		496 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		497 |   )
		498 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:506-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		506 | resource "aws_ebs_volume" "oraredo" {
		507 |   availability_zone = "eu-west-2a"
		508 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		509 |   type              = "gp2"
		510 |   encrypted         = true
		511 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		512 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		513 | 
		514 |   lifecycle {
		515 |     ignore_changes = [kms_key_id]
		516 |   }
		517 | 
		518 |   tags = merge(
		519 |     local.tags,
		520 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		521 |   )
		522 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:530-546
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		530 | resource "aws_ebs_volume" "share" {
		531 |   availability_zone = "eu-west-2a"
		532 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		533 |   type              = "gp2"
		534 |   encrypted         = true
		535 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		536 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		537 | 
		538 |   lifecycle {
		539 |     ignore_changes = [kms_key_id]
		540 |   }
		541 | 
		542 |   tags = merge(
		543 |     local.tags,
		544 |     { "Name" = "${local.application_name_short}-database-share" },
		545 |   )
		546 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:63-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		63 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		64 |   bucket = aws_s3_bucket.backup_lambda.id
		65 |   rule {
		66 |     object_ownership = "ObjectWriter"
		67 |   }
		68 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/lambda.tf line 115:
 115: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T11:16:59Z	INFO	[vulndb] Need to update DB
2025-02-04T11:16:59Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T11:16:59Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T11:17:01Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T11:17:01Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T11:17:01Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T11:17:01Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T11:17:01Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T11:17:01Z	INFO	[secret] Secret scanning is enabled
2025-02-04T11:17:01Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T11:17:01Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T11:17:02Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T11:17:02Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T11:17:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T11:17:03Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T11:17:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T11:17:03Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T11:17:05Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T11:17:05Z	INFO	Number of language-specific files	num=0
2025-02-04T11:17:05Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195
   via database.tf:194-196 (metadata_options)
    via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 195 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:183-212
────────────────────────────────────────
 183 ┌ resource "aws_instance" "database" {
 184 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 185 │   availability_zone           = "eu-west-2a"
 186 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 187 │   monitoring                  = true
 188 │   vpc_security_group_ids      = [aws_security_group.database.id]
 189 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 190 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 191 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development February 4, 2025 11:54 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T11:55:27Z INFO [vulndb] Need to update DB
2025-02-04T11:55:27Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T11:55:27Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T11:55:29Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T11:55:29Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T11:55:29Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T11:55:29Z INFO [misconfig] Need to update the built-in checks
2025-02-04T11:55:29Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T11:55:29Z INFO [secret] Secret scanning is enabled
2025-02-04T11:55:29Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T11:55:29Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T11:55:31Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T11:55:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T11:55:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T11:55:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T11:55:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T11:55:31Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T11:55:33Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T11:55:33Z INFO Number of language-specific files num=0
2025-02-04T11:55:33Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195
via database.tf:194-196 (metadata_options)
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
195 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:183-212
────────────────────────────────────────
183 ┌ resource "aws_instance" "database" {
184 │ ami = local.application_data.accounts[local.environment].db_ami_id
185 │ availability_zone = "eu-west-2a"
186 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
187 │ monitoring = true
188 │ vpc_security_group_ids = [aws_security_group.database.id]
189 │ subnet_id = data.aws_subnet.data_subnets_a.id
190 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
191 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:63-69
────────────────────────────────────────
63 ┌ resource "aws_s3_bucket" "backup_lambda" {
64 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
65 │ tags = merge(
66 │ local.tags,
67 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
68 │ )
69 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:63-69
────────────────────────────────────────
63 ┌ resource "aws_s3_bucket" "backup_lambda" {
64 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
65 │ tags = merge(
66 │ local.tags,
67 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
68 │ )
69 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 11:55:35,921 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 11:55:35,921 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 11:55:35,921 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 419, Failed checks: 58, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:DeleteSnapshot",
		44 |                 "ec2:DescribeSnapshots"
		45 |             ],
		46 |             "Resource": "*",
		47 |             "Effect": "Allow"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-52
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:DeleteSnapshot",
		44 |                 "ec2:DescribeSnapshots"
		45 |             ],
		46 |             "Resource": "*",
		47 |             "Effect": "Allow"
		48 |         }
		49 |     ]
		50 | }
		51 | EOF
		52 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:132-149
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		132 | resource "aws_security_group" "backup_lambda" {
		133 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		134 |   description = "Bakcup Lambda Security Group"
		135 |   vpc_id      = data.aws_vpc.shared.id
		136 | 
		137 |   egress {
		138 |     description = "outbound access"
		139 |     from_port   = 0
		140 |     to_port     = 0
		141 |     protocol    = "-1"
		142 |     cidr_blocks = ["0.0.0.0/0"]
		143 |   }
		144 | 
		145 |   tags = merge(
		146 |     local.tags,
		147 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		148 |   )
		149 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:151-173
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		151 | resource "aws_lambda_function" "delete_db_snapshots" {
		152 | 
		153 |   description      = "Clean up script to delete old unused snapshots"
		154 |   function_name    = "deletesnapshotFunction"
		155 |   role             = aws_iam_role.backup_lambda.arn
		156 |   handler          = "deletesnapshots.lambda_handler"
		157 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		158 |   runtime          = "python3.8"
		159 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		160 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		161 |   memory_size      = 3000
		162 |   timeout          = 900
		163 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		164 | 
		165 |   vpc_config {
		166 |     security_group_ids = [aws_security_group.backup_lambda.id]
		167 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		168 |   }
		169 |   tags = merge(
		170 |     local.tags,
		171 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		172 |   )
		173 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:151-173
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		151 | resource "aws_lambda_function" "delete_db_snapshots" {
		152 | 
		153 |   description      = "Clean up script to delete old unused snapshots"
		154 |   function_name    = "deletesnapshotFunction"
		155 |   role             = aws_iam_role.backup_lambda.arn
		156 |   handler          = "deletesnapshots.lambda_handler"
		157 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		158 |   runtime          = "python3.8"
		159 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		160 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		161 |   memory_size      = 3000
		162 |   timeout          = 900
		163 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		164 | 
		165 |   vpc_config {
		166 |     security_group_ids = [aws_security_group.backup_lambda.id]
		167 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		168 |   }
		169 |   tags = merge(
		170 |     local.tags,
		171 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		172 |   )
		173 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:151-173
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		151 | resource "aws_lambda_function" "delete_db_snapshots" {
		152 | 
		153 |   description      = "Clean up script to delete old unused snapshots"
		154 |   function_name    = "deletesnapshotFunction"
		155 |   role             = aws_iam_role.backup_lambda.arn
		156 |   handler          = "deletesnapshots.lambda_handler"
		157 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		158 |   runtime          = "python3.8"
		159 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		160 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		161 |   memory_size      = 3000
		162 |   timeout          = 900
		163 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		164 | 
		165 |   vpc_config {
		166 |     security_group_ids = [aws_security_group.backup_lambda.id]
		167 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		168 |   }
		169 |   tags = merge(
		170 |     local.tags,
		171 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		172 |   )
		173 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:151-173
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		151 | resource "aws_lambda_function" "delete_db_snapshots" {
		152 | 
		153 |   description      = "Clean up script to delete old unused snapshots"
		154 |   function_name    = "deletesnapshotFunction"
		155 |   role             = aws_iam_role.backup_lambda.arn
		156 |   handler          = "deletesnapshots.lambda_handler"
		157 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		158 |   runtime          = "python3.8"
		159 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		160 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		161 |   memory_size      = 3000
		162 |   timeout          = 900
		163 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		164 | 
		165 |   vpc_config {
		166 |     security_group_ids = [aws_security_group.backup_lambda.id]
		167 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		168 |   }
		169 |   tags = merge(
		170 |     local.tags,
		171 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		172 |   )
		173 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:410-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		410 | resource "aws_ebs_volume" "oradata" {
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-database-oradata" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:434-450
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		434 | resource "aws_ebs_volume" "oracle" {
		435 |   availability_zone = "eu-west-2a"
		436 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		437 |   type              = "gp2"
		438 |   encrypted         = true
		439 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		440 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		441 | 
		442 |   lifecycle {
		443 |     ignore_changes = [kms_key_id]
		444 |   }
		445 | 
		446 |   tags = merge(
		447 |     local.tags,
		448 |     { "Name" = "${local.application_name_short}-database-oracle" },
		449 |   )
		450 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:458-474
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		458 | resource "aws_ebs_volume" "oraarch" {
		459 |   availability_zone = "eu-west-2a"
		460 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		461 |   type              = "gp2"
		462 |   encrypted         = true
		463 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		464 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		465 | 
		466 |   lifecycle {
		467 |     ignore_changes = [kms_key_id]
		468 |   }
		469 | 
		470 |   tags = merge(
		471 |     local.tags,
		472 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		473 |   )
		474 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:482-498
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		482 | resource "aws_ebs_volume" "oratmp" {
		483 |   availability_zone = "eu-west-2a"
		484 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		485 |   type              = "gp2"
		486 |   encrypted         = true
		487 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		488 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		489 | 
		490 |   lifecycle {
		491 |     ignore_changes = [kms_key_id]
		492 |   }
		493 | 
		494 |   tags = merge(
		495 |     local.tags,
		496 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		497 |   )
		498 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:506-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		506 | resource "aws_ebs_volume" "oraredo" {
		507 |   availability_zone = "eu-west-2a"
		508 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		509 |   type              = "gp2"
		510 |   encrypted         = true
		511 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		512 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		513 | 
		514 |   lifecycle {
		515 |     ignore_changes = [kms_key_id]
		516 |   }
		517 | 
		518 |   tags = merge(
		519 |     local.tags,
		520 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		521 |   )
		522 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:530-546
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		530 | resource "aws_ebs_volume" "share" {
		531 |   availability_zone = "eu-west-2a"
		532 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		533 |   type              = "gp2"
		534 |   encrypted         = true
		535 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		536 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		537 | 
		538 |   lifecycle {
		539 |     ignore_changes = [kms_key_id]
		540 |   }
		541 | 
		542 |   tags = merge(
		543 |     local.tags,
		544 |     { "Name" = "${local.application_name_short}-database-share" },
		545 |   )
		546 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:63-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		63 | resource "aws_s3_bucket" "backup_lambda" {
		64 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		65 |   tags = merge(
		66 |     local.tags,
		67 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		68 |   )
		69 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:63-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		63 | resource "aws_s3_bucket" "backup_lambda" {
		64 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		65 |   tags = merge(
		66 |     local.tags,
		67 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		68 |   )
		69 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:63-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		63 | resource "aws_s3_bucket" "backup_lambda" {
		64 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		65 |   tags = merge(
		66 |     local.tags,
		67 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		68 |   )
		69 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:63-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		63 | resource "aws_s3_bucket" "backup_lambda" {
		64 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		65 |   tags = merge(
		66 |     local.tags,
		67 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		68 |   )
		69 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:71-76
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		71 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		72 |   bucket = aws_s3_bucket.backup_lambda.id
		73 |   rule {
		74 |     object_ownership = "ObjectWriter"
		75 |   }
		76 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:63-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		63 | resource "aws_s3_bucket" "backup_lambda" {
		64 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		65 |   tags = merge(
		66 |     local.tags,
		67 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		68 |   )
		69 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/lambda.tf line 123:
 123: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T11:55:27Z	INFO	[vulndb] Need to update DB
2025-02-04T11:55:27Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T11:55:27Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T11:55:29Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T11:55:29Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T11:55:29Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T11:55:29Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T11:55:29Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T11:55:29Z	INFO	[secret] Secret scanning is enabled
2025-02-04T11:55:29Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T11:55:29Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T11:55:31Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T11:55:31Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T11:55:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T11:55:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T11:55:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T11:55:31Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T11:55:33Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T11:55:33Z	INFO	Number of language-specific files	num=0
2025-02-04T11:55:33Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195
   via database.tf:194-196 (metadata_options)
    via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 195 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:183-212
────────────────────────────────────────
 183 ┌ resource "aws_instance" "database" {
 184 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 185 │   availability_zone           = "eu-west-2a"
 186 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 187 │   monitoring                  = true
 188 │   vpc_security_group_ids      = [aws_security_group.database.id]
 189 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 190 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 191 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:63-69
────────────────────────────────────────
  63 ┌ resource "aws_s3_bucket" "backup_lambda" {
  64 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  65 │   tags = merge(
  66 │     local.tags,
  67 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  68 │   )
  69 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:63-69
────────────────────────────────────────
  63 ┌ resource "aws_s3_bucket" "backup_lambda" {
  64 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  65 │   tags = merge(
  66 │     local.tags,
  67 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  68 │   )
  69 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development February 4, 2025 13:20 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T13:20:43Z INFO [vulndb] Need to update DB
2025-02-04T13:20:43Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T13:20:43Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T13:20:45Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T13:20:45Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T13:20:45Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T13:20:45Z INFO [misconfig] Need to update the built-in checks
2025-02-04T13:20:45Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T13:20:45Z INFO [secret] Secret scanning is enabled
2025-02-04T13:20:45Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T13:20:45Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T13:20:46Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T13:20:46Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T13:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T13:20:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T13:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T13:20:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T13:20:49Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T13:20:50Z INFO Number of language-specific files num=0
2025-02-04T13:20:50Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195
via database.tf:194-196 (metadata_options)
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
195 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:183-212
────────────────────────────────────────
183 ┌ resource "aws_instance" "database" {
184 │ ami = local.application_data.accounts[local.environment].db_ami_id
185 │ availability_zone = "eu-west-2a"
186 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
187 │ monitoring = true
188 │ vpc_security_group_ids = [aws_security_group.database.id]
189 │ subnet_id = data.aws_subnet.data_subnets_a.id
190 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
191 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:73-79
────────────────────────────────────────
73 ┌ resource "aws_s3_bucket" "backup_lambda" {
74 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
75 │ tags = merge(
76 │ local.tags,
77 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
78 │ )
79 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:73-79
────────────────────────────────────────
73 ┌ resource "aws_s3_bucket" "backup_lambda" {
74 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
75 │ tags = merge(
76 │ local.tags,
77 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
78 │ )
79 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 13:20:53,112 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 13:20:53,112 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 13:20:53,112 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 419, Failed checks: 58, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:DescribeNetworkInterfaces",
		44 |                 "ec2:DeleteSnapshot",
		45 |                 "ec2:DescribeSubnets",
		46 |                 "ec2:DescribeVpcs",
		47 |                 "ec2:DescribeInstances",
		48 |                 "ec2:DescribeAddresses",
		49 |                 "ec2:DescribeInstanceStatus",
		50 |                 "ec2:DescribeVolumes",
		51 |                 "ec2:DescribeSnapshots",
		52 |                 "logs:CreateLogGroup",
		53 |                 "logs:CreateLogStream",
		54 |                 "logs:PutLogEvents"
		55 |             ],
		56 |             "Resource": "*",
		57 |             "Effect": "Allow"
		58 |         }
		59 |     ]
		60 | }
		61 | EOF
		62 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:DescribeNetworkInterfaces",
		44 |                 "ec2:DeleteSnapshot",
		45 |                 "ec2:DescribeSubnets",
		46 |                 "ec2:DescribeVpcs",
		47 |                 "ec2:DescribeInstances",
		48 |                 "ec2:DescribeAddresses",
		49 |                 "ec2:DescribeInstanceStatus",
		50 |                 "ec2:DescribeVolumes",
		51 |                 "ec2:DescribeSnapshots",
		52 |                 "logs:CreateLogGroup",
		53 |                 "logs:CreateLogStream",
		54 |                 "logs:PutLogEvents"
		55 |             ],
		56 |             "Resource": "*",
		57 |             "Effect": "Allow"
		58 |         }
		59 |     ]
		60 | }
		61 | EOF
		62 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:142-159
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		142 | resource "aws_security_group" "backup_lambda" {
		143 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		144 |   description = "Bakcup Lambda Security Group"
		145 |   vpc_id      = data.aws_vpc.shared.id
		146 | 
		147 |   egress {
		148 |     description = "outbound access"
		149 |     from_port   = 0
		150 |     to_port     = 0
		151 |     protocol    = "-1"
		152 |     cidr_blocks = ["0.0.0.0/0"]
		153 |   }
		154 | 
		155 |   tags = merge(
		156 |     local.tags,
		157 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		158 |   )
		159 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:161-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		161 | resource "aws_lambda_function" "delete_db_snapshots" {
		162 | 
		163 |   description      = "Clean up script to delete old unused snapshots"
		164 |   function_name    = "deletesnapshotFunction"
		165 |   role             = aws_iam_role.backup_lambda.arn
		166 |   handler          = "deletesnapshots.lambda_handler"
		167 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		168 |   runtime          = "python3.8"
		169 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		170 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		171 |   memory_size      = 3000
		172 |   timeout          = 900
		173 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		174 | 
		175 |   vpc_config {
		176 |     security_group_ids = [aws_security_group.backup_lambda.id]
		177 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		182 |   )
		183 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:161-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		161 | resource "aws_lambda_function" "delete_db_snapshots" {
		162 | 
		163 |   description      = "Clean up script to delete old unused snapshots"
		164 |   function_name    = "deletesnapshotFunction"
		165 |   role             = aws_iam_role.backup_lambda.arn
		166 |   handler          = "deletesnapshots.lambda_handler"
		167 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		168 |   runtime          = "python3.8"
		169 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		170 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		171 |   memory_size      = 3000
		172 |   timeout          = 900
		173 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		174 | 
		175 |   vpc_config {
		176 |     security_group_ids = [aws_security_group.backup_lambda.id]
		177 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		182 |   )
		183 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:161-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		161 | resource "aws_lambda_function" "delete_db_snapshots" {
		162 | 
		163 |   description      = "Clean up script to delete old unused snapshots"
		164 |   function_name    = "deletesnapshotFunction"
		165 |   role             = aws_iam_role.backup_lambda.arn
		166 |   handler          = "deletesnapshots.lambda_handler"
		167 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		168 |   runtime          = "python3.8"
		169 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		170 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		171 |   memory_size      = 3000
		172 |   timeout          = 900
		173 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		174 | 
		175 |   vpc_config {
		176 |     security_group_ids = [aws_security_group.backup_lambda.id]
		177 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		182 |   )
		183 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:161-183
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		161 | resource "aws_lambda_function" "delete_db_snapshots" {
		162 | 
		163 |   description      = "Clean up script to delete old unused snapshots"
		164 |   function_name    = "deletesnapshotFunction"
		165 |   role             = aws_iam_role.backup_lambda.arn
		166 |   handler          = "deletesnapshots.lambda_handler"
		167 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		168 |   runtime          = "python3.8"
		169 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		170 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		171 |   memory_size      = 3000
		172 |   timeout          = 900
		173 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		174 | 
		175 |   vpc_config {
		176 |     security_group_ids = [aws_security_group.backup_lambda.id]
		177 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		178 |   }
		179 |   tags = merge(
		180 |     local.tags,
		181 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		182 |   )
		183 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:410-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		410 | resource "aws_ebs_volume" "oradata" {
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-database-oradata" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:434-450
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		434 | resource "aws_ebs_volume" "oracle" {
		435 |   availability_zone = "eu-west-2a"
		436 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		437 |   type              = "gp2"
		438 |   encrypted         = true
		439 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		440 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		441 | 
		442 |   lifecycle {
		443 |     ignore_changes = [kms_key_id]
		444 |   }
		445 | 
		446 |   tags = merge(
		447 |     local.tags,
		448 |     { "Name" = "${local.application_name_short}-database-oracle" },
		449 |   )
		450 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:458-474
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		458 | resource "aws_ebs_volume" "oraarch" {
		459 |   availability_zone = "eu-west-2a"
		460 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		461 |   type              = "gp2"
		462 |   encrypted         = true
		463 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		464 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		465 | 
		466 |   lifecycle {
		467 |     ignore_changes = [kms_key_id]
		468 |   }
		469 | 
		470 |   tags = merge(
		471 |     local.tags,
		472 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		473 |   )
		474 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:482-498
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		482 | resource "aws_ebs_volume" "oratmp" {
		483 |   availability_zone = "eu-west-2a"
		484 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		485 |   type              = "gp2"
		486 |   encrypted         = true
		487 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		488 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		489 | 
		490 |   lifecycle {
		491 |     ignore_changes = [kms_key_id]
		492 |   }
		493 | 
		494 |   tags = merge(
		495 |     local.tags,
		496 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		497 |   )
		498 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:506-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		506 | resource "aws_ebs_volume" "oraredo" {
		507 |   availability_zone = "eu-west-2a"
		508 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		509 |   type              = "gp2"
		510 |   encrypted         = true
		511 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		512 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		513 | 
		514 |   lifecycle {
		515 |     ignore_changes = [kms_key_id]
		516 |   }
		517 | 
		518 |   tags = merge(
		519 |     local.tags,
		520 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		521 |   )
		522 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:530-546
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		530 | resource "aws_ebs_volume" "share" {
		531 |   availability_zone = "eu-west-2a"
		532 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		533 |   type              = "gp2"
		534 |   encrypted         = true
		535 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		536 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		537 | 
		538 |   lifecycle {
		539 |     ignore_changes = [kms_key_id]
		540 |   }
		541 | 
		542 |   tags = merge(
		543 |     local.tags,
		544 |     { "Name" = "${local.application_name_short}-database-share" },
		545 |   )
		546 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:73-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		73 | resource "aws_s3_bucket" "backup_lambda" {
		74 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		75 |   tags = merge(
		76 |     local.tags,
		77 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		78 |   )
		79 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:73-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		73 | resource "aws_s3_bucket" "backup_lambda" {
		74 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		75 |   tags = merge(
		76 |     local.tags,
		77 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		78 |   )
		79 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:81-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		81 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		82 |   bucket = aws_s3_bucket.backup_lambda.id
		83 |   rule {
		84 |     object_ownership = "ObjectWriter"
		85 |   }
		86 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:73-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		73 | resource "aws_s3_bucket" "backup_lambda" {
		74 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		75 |   tags = merge(
		76 |     local.tags,
		77 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		78 |   )
		79 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:73-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		73 | resource "aws_s3_bucket" "backup_lambda" {
		74 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		75 |   tags = merge(
		76 |     local.tags,
		77 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		78 |   )
		79 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:73-79
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		73 | resource "aws_s3_bucket" "backup_lambda" {
		74 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		75 |   tags = merge(
		76 |     local.tags,
		77 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		78 |   )
		79 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/database.tf line 174:
 174: resource "time_sleep" "wait_db_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T13:20:43Z	INFO	[vulndb] Need to update DB
2025-02-04T13:20:43Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T13:20:43Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T13:20:45Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T13:20:45Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T13:20:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T13:20:45Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T13:20:45Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T13:20:45Z	INFO	[secret] Secret scanning is enabled
2025-02-04T13:20:45Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T13:20:45Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T13:20:46Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T13:20:46Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T13:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T13:20:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T13:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T13:20:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T13:20:49Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T13:20:50Z	INFO	Number of language-specific files	num=0
2025-02-04T13:20:50Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195
   via database.tf:194-196 (metadata_options)
    via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 195 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:183-212
────────────────────────────────────────
 183 ┌ resource "aws_instance" "database" {
 184 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 185 │   availability_zone           = "eu-west-2a"
 186 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 187 │   monitoring                  = true
 188 │   vpc_security_group_ids      = [aws_security_group.database.id]
 189 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 190 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 191 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:73-79
────────────────────────────────────────
  73 ┌ resource "aws_s3_bucket" "backup_lambda" {
  74 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  75 │   tags = merge(
  76 │     local.tags,
  77 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  78 │   )
  79 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:73-79
────────────────────────────────────────
  73 ┌ resource "aws_s3_bucket" "backup_lambda" {
  74 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  75 │   tags = merge(
  76 │     local.tags,
  77 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  78 │   )
  79 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development February 4, 2025 13:56 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T13:57:29Z INFO [vulndb] Need to update DB
2025-02-04T13:57:29Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T13:57:29Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T13:57:31Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T13:57:31Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T13:57:31Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T13:57:31Z INFO [misconfig] Need to update the built-in checks
2025-02-04T13:57:31Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T13:57:31Z INFO [secret] Secret scanning is enabled
2025-02-04T13:57:31Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T13:57:31Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T13:57:33Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T13:57:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T13:57:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T13:57:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T13:57:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T13:57:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T13:57:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T13:57:35Z INFO Number of language-specific files num=0
2025-02-04T13:57:35Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195
via database.tf:194-196 (metadata_options)
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
195 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:183-212
────────────────────────────────────────
183 ┌ resource "aws_instance" "database" {
184 │ ami = local.application_data.accounts[local.environment].db_ami_id
185 │ availability_zone = "eu-west-2a"
186 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
187 │ monitoring = true
188 │ vpc_security_group_ids = [aws_security_group.database.id]
189 │ subnet_id = data.aws_subnet.data_subnets_a.id
190 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
191 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 13:57:38,016 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 13:57:38,016 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 13:57:38,016 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 419, Failed checks: 58, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:144-161
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		144 | resource "aws_security_group" "backup_lambda" {
		145 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		146 |   description = "Bakcup Lambda Security Group"
		147 |   vpc_id      = data.aws_vpc.shared.id
		148 | 
		149 |   egress {
		150 |     description = "outbound access"
		151 |     from_port   = 0
		152 |     to_port     = 0
		153 |     protocol    = "-1"
		154 |     cidr_blocks = ["0.0.0.0/0"]
		155 |   }
		156 | 
		157 |   tags = merge(
		158 |     local.tags,
		159 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		160 |   )
		161 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:410-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		410 | resource "aws_ebs_volume" "oradata" {
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-database-oradata" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:434-450
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		434 | resource "aws_ebs_volume" "oracle" {
		435 |   availability_zone = "eu-west-2a"
		436 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		437 |   type              = "gp2"
		438 |   encrypted         = true
		439 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		440 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		441 | 
		442 |   lifecycle {
		443 |     ignore_changes = [kms_key_id]
		444 |   }
		445 | 
		446 |   tags = merge(
		447 |     local.tags,
		448 |     { "Name" = "${local.application_name_short}-database-oracle" },
		449 |   )
		450 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:458-474
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		458 | resource "aws_ebs_volume" "oraarch" {
		459 |   availability_zone = "eu-west-2a"
		460 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		461 |   type              = "gp2"
		462 |   encrypted         = true
		463 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		464 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		465 | 
		466 |   lifecycle {
		467 |     ignore_changes = [kms_key_id]
		468 |   }
		469 | 
		470 |   tags = merge(
		471 |     local.tags,
		472 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		473 |   )
		474 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:482-498
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		482 | resource "aws_ebs_volume" "oratmp" {
		483 |   availability_zone = "eu-west-2a"
		484 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		485 |   type              = "gp2"
		486 |   encrypted         = true
		487 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		488 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		489 | 
		490 |   lifecycle {
		491 |     ignore_changes = [kms_key_id]
		492 |   }
		493 | 
		494 |   tags = merge(
		495 |     local.tags,
		496 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		497 |   )
		498 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:506-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		506 | resource "aws_ebs_volume" "oraredo" {
		507 |   availability_zone = "eu-west-2a"
		508 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		509 |   type              = "gp2"
		510 |   encrypted         = true
		511 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		512 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		513 | 
		514 |   lifecycle {
		515 |     ignore_changes = [kms_key_id]
		516 |   }
		517 | 
		518 |   tags = merge(
		519 |     local.tags,
		520 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		521 |   )
		522 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:530-546
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		530 | resource "aws_ebs_volume" "share" {
		531 |   availability_zone = "eu-west-2a"
		532 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		533 |   type              = "gp2"
		534 |   encrypted         = true
		535 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		536 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		537 | 
		538 |   lifecycle {
		539 |     ignore_changes = [kms_key_id]
		540 |   }
		541 | 
		542 |   tags = merge(
		543 |     local.tags,
		544 |     { "Name" = "${local.application_name_short}-database-share" },
		545 |   )
		546 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:83-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		83 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		84 |   bucket = aws_s3_bucket.backup_lambda.id
		85 |   rule {
		86 |     object_ownership = "ObjectWriter"
		87 |   }
		88 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/app_servers.tf line 171:
 171: resource "time_sleep" "wait_app_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T13:57:29Z	INFO	[vulndb] Need to update DB
2025-02-04T13:57:29Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T13:57:29Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T13:57:31Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T13:57:31Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T13:57:31Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T13:57:31Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T13:57:31Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T13:57:31Z	INFO	[secret] Secret scanning is enabled
2025-02-04T13:57:31Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T13:57:31Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T13:57:33Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T13:57:33Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T13:57:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T13:57:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T13:57:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T13:57:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T13:57:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T13:57:35Z	INFO	Number of language-specific files	num=0
2025-02-04T13:57:35Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195
   via database.tf:194-196 (metadata_options)
    via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 195 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:183-212
────────────────────────────────────────
 183 ┌ resource "aws_instance" "database" {
 184 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 185 │   availability_zone           = "eu-west-2a"
 186 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 187 │   monitoring                  = true
 188 │   vpc_security_group_ids      = [aws_security_group.database.id]
 189 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 190 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 191 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development February 4, 2025 14:53 — with GitHub Actions Inactive
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 4, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T14:54:30Z INFO [vulndb] Need to update DB
2025-02-04T14:54:30Z INFO [vulndb] Downloading vulnerability DB...
2025-02-04T14:54:30Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T14:54:33Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T14:54:33Z INFO [vuln] Vulnerability scanning is enabled
2025-02-04T14:54:33Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-04T14:54:33Z INFO [misconfig] Need to update the built-in checks
2025-02-04T14:54:33Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T14:54:33Z INFO [secret] Secret scanning is enabled
2025-02-04T14:54:33Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T14:54:33Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T14:54:34Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-04T14:54:34Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-04T14:54:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T14:54:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T14:54:35Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T14:54:35Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T14:54:36Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T14:54:37Z INFO Number of language-specific files num=0
2025-02-04T14:54:37Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:195
via database.tf:194-196 (metadata_options)
via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
183 resource "aws_instance" "database" {
...
195 [ http_tokens = "optional"
...
212 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:183-212
────────────────────────────────────────
183 ┌ resource "aws_instance" "database" {
184 │ ami = local.application_data.accounts[local.environment].db_ami_id
185 │ availability_zone = "eu-west-2a"
186 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
187 │ monitoring = true
188 │ vpc_security_group_ids = [aws_security_group.database.id]
189 │ subnet_id = data.aws_subnet.data_subnets_a.id
190 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
191 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-04 14:54:39,798 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 14:54:39,798 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-04 14:54:39,798 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 421, Failed checks: 58, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:183-212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		183 | resource "aws_instance" "database" {
		184 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		185 |   availability_zone           = "eu-west-2a"
		186 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		187 |   monitoring                  = true
		188 |   vpc_security_group_ids      = [aws_security_group.database.id]
		189 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		190 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		191 |   key_name                    = aws_key_pair.cwa.key_name
		192 |   user_data_base64            = base64encode(local.db_userdata)
		193 |   user_data_replace_on_change = true
		194 |   metadata_options {
		195 |     http_tokens = "optional"
		196 |   }
		197 | 
		198 |   root_block_device {
		199 |     tags = merge(
		200 |       { "instance-scheduling" = "skip-scheduling" },
		201 |       local.tags,
		202 |       { "Name" = "${local.application_name_short}-database-root" }
		203 |     )
		204 |   }
		205 | 
		206 |   tags = merge(
		207 |     { "instance-scheduling" = "skip-scheduling" },
		208 |     local.tags,
		209 |     { "Name" = local.database_ec2_name }
		210 |   )
		211 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		212 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:235-239
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		235 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		236 |   security_group_id = aws_security_group.database.id
		237 |   cidr_ipv4         = "0.0.0.0/0"
		238 |   ip_protocol       = "-1"
		239 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:241-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		241 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		242 |   security_group_id            = aws_security_group.database.id
		243 |   description                  = "SSH from the Bastion"
		244 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		245 |   from_port                    = 22
		246 |   ip_protocol                  = "tcp"
		247 |   to_port                      = 22
		248 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:144-161
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		144 | resource "aws_security_group" "backup_lambda" {
		145 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		146 |   description = "Bakcup Lambda Security Group"
		147 |   vpc_id      = data.aws_vpc.shared.id
		148 | 
		149 |   egress {
		150 |     description = "outbound access"
		151 |     from_port   = 0
		152 |     to_port     = 0
		153 |     protocol    = "-1"
		154 |     cidr_blocks = ["0.0.0.0/0"]
		155 |   }
		156 | 
		157 |   tags = merge(
		158 |     local.tags,
		159 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		160 |   )
		161 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:410-426
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		410 | resource "aws_ebs_volume" "oradata" {
		411 |   availability_zone = "eu-west-2a"
		412 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		413 |   type              = "gp2"
		414 |   encrypted         = true
		415 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		416 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		417 | 
		418 |   lifecycle {
		419 |     ignore_changes = [kms_key_id]
		420 |   }
		421 | 
		422 |   tags = merge(
		423 |     local.tags,
		424 |     { "Name" = "${local.application_name_short}-database-oradata" },
		425 |   )
		426 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:434-450
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		434 | resource "aws_ebs_volume" "oracle" {
		435 |   availability_zone = "eu-west-2a"
		436 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		437 |   type              = "gp2"
		438 |   encrypted         = true
		439 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		440 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		441 | 
		442 |   lifecycle {
		443 |     ignore_changes = [kms_key_id]
		444 |   }
		445 | 
		446 |   tags = merge(
		447 |     local.tags,
		448 |     { "Name" = "${local.application_name_short}-database-oracle" },
		449 |   )
		450 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:458-474
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		458 | resource "aws_ebs_volume" "oraarch" {
		459 |   availability_zone = "eu-west-2a"
		460 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		461 |   type              = "gp2"
		462 |   encrypted         = true
		463 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		464 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		465 | 
		466 |   lifecycle {
		467 |     ignore_changes = [kms_key_id]
		468 |   }
		469 | 
		470 |   tags = merge(
		471 |     local.tags,
		472 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		473 |   )
		474 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:482-498
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		482 | resource "aws_ebs_volume" "oratmp" {
		483 |   availability_zone = "eu-west-2a"
		484 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		485 |   type              = "gp2"
		486 |   encrypted         = true
		487 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		488 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		489 | 
		490 |   lifecycle {
		491 |     ignore_changes = [kms_key_id]
		492 |   }
		493 | 
		494 |   tags = merge(
		495 |     local.tags,
		496 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		497 |   )
		498 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:506-522
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		506 | resource "aws_ebs_volume" "oraredo" {
		507 |   availability_zone = "eu-west-2a"
		508 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		509 |   type              = "gp2"
		510 |   encrypted         = true
		511 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		512 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		513 | 
		514 |   lifecycle {
		515 |     ignore_changes = [kms_key_id]
		516 |   }
		517 | 
		518 |   tags = merge(
		519 |     local.tags,
		520 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		521 |   )
		522 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:530-546
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		530 | resource "aws_ebs_volume" "share" {
		531 |   availability_zone = "eu-west-2a"
		532 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		533 |   type              = "gp2"
		534 |   encrypted         = true
		535 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		536 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		537 | 
		538 |   lifecycle {
		539 |     ignore_changes = [kms_key_id]
		540 |   }
		541 | 
		542 |   tags = merge(
		543 |     local.tags,
		544 |     { "Name" = "${local.application_name_short}-database-share" },
		545 |   )
		546 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:83-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		83 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		84 |   bucket = aws_s3_bucket.backup_lambda.id
		85 |   rule {
		86 |     object_ownership = "ObjectWriter"
		87 |   }
		88 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/concurrent_manager.tf line 150:
 150: resource "time_sleep" "wait_cm_custom_script" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-04T14:54:30Z	INFO	[vulndb] Need to update DB
2025-02-04T14:54:30Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-04T14:54:30Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T14:54:33Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-04T14:54:33Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-04T14:54:33Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-04T14:54:33Z	INFO	[misconfig] Need to update the built-in checks
2025-02-04T14:54:33Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-04T14:54:33Z	INFO	[secret] Secret scanning is enabled
2025-02-04T14:54:33Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-04T14:54:33Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-04T14:54:34Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-04T14:54:34Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-04T14:54:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-04T14:54:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-04T14:54:35Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T14:54:35Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-04T14:54:36Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-04T14:54:37Z	INFO	Number of language-specific files	num=0
2025-02-04T14:54:37Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:195
   via database.tf:194-196 (metadata_options)
    via database.tf:183-212 (aws_instance.database)
────────────────────────────────────────
 183   resource "aws_instance" "database" {
 ...   
 195 [     http_tokens = "optional"
 ...   
 212   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:183-212
────────────────────────────────────────
 183 ┌ resource "aws_instance" "database" {
 184 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 185 │   availability_zone           = "eu-west-2a"
 186 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 187 │   monitoring                  = true
 188 │   vpc_security_group_ids      = [aws_security_group.database.id]
 189 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 190 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 191 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 6, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-06T12:01:27Z INFO [vulndb] Need to update DB
2025-02-06T12:01:27Z INFO [vulndb] Downloading vulnerability DB...
2025-02-06T12:01:27Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T12:01:29Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T12:01:29Z INFO [vuln] Vulnerability scanning is enabled
2025-02-06T12:01:29Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-06T12:01:29Z INFO [misconfig] Need to update the built-in checks
2025-02-06T12:01:29Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-06T12:01:30Z INFO [secret] Secret scanning is enabled
2025-02-06T12:01:30Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T12:01:30Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T12:01:31Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-06T12:01:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-06T12:01:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T12:01:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T12:01:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T12:01:33Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T12:01:35Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T12:01:35Z INFO Number of language-specific files num=0
2025-02-06T12:01:35Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:205
via database.tf:204-206 (metadata_options)
via database.tf:193-222 (aws_instance.database)
────────────────────────────────────────
193 resource "aws_instance" "database" {
...
205 [ http_tokens = "optional"
...
222 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:193-222
────────────────────────────────────────
193 ┌ resource "aws_instance" "database" {
194 │ ami = local.application_data.accounts[local.environment].db_ami_id
195 │ availability_zone = "eu-west-2a"
196 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
197 │ monitoring = true
198 │ vpc_security_group_ids = [aws_security_group.database.id]
199 │ subnet_id = data.aws_subnet.data_subnets_a.id
200 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
201 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-06 12:01:38,521 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 12:01:38,521 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 12:01:38,521 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 420, Failed checks: 58, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:193-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		193 | resource "aws_instance" "database" {
		194 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		195 |   availability_zone           = "eu-west-2a"
		196 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		197 |   monitoring                  = true
		198 |   vpc_security_group_ids      = [aws_security_group.database.id]
		199 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		200 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		201 |   key_name                    = aws_key_pair.cwa.key_name
		202 |   user_data_base64            = base64encode(local.db_userdata)
		203 |   user_data_replace_on_change = true
		204 |   metadata_options {
		205 |     http_tokens = "optional"
		206 |   }
		207 | 
		208 |   root_block_device {
		209 |     tags = merge(
		210 |       { "instance-scheduling" = "skip-scheduling" },
		211 |       local.tags,
		212 |       { "Name" = "${local.application_name_short}-database-root" }
		213 |     )
		214 |   }
		215 | 
		216 |   tags = merge(
		217 |     { "instance-scheduling" = "skip-scheduling" },
		218 |     local.tags,
		219 |     { "Name" = local.database_ec2_name }
		220 |   )
		221 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		222 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:193-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		193 | resource "aws_instance" "database" {
		194 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		195 |   availability_zone           = "eu-west-2a"
		196 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		197 |   monitoring                  = true
		198 |   vpc_security_group_ids      = [aws_security_group.database.id]
		199 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		200 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		201 |   key_name                    = aws_key_pair.cwa.key_name
		202 |   user_data_base64            = base64encode(local.db_userdata)
		203 |   user_data_replace_on_change = true
		204 |   metadata_options {
		205 |     http_tokens = "optional"
		206 |   }
		207 | 
		208 |   root_block_device {
		209 |     tags = merge(
		210 |       { "instance-scheduling" = "skip-scheduling" },
		211 |       local.tags,
		212 |       { "Name" = "${local.application_name_short}-database-root" }
		213 |     )
		214 |   }
		215 | 
		216 |   tags = merge(
		217 |     { "instance-scheduling" = "skip-scheduling" },
		218 |     local.tags,
		219 |     { "Name" = local.database_ec2_name }
		220 |   )
		221 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		222 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:245-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		245 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		246 |   security_group_id = aws_security_group.database.id
		247 |   cidr_ipv4         = "0.0.0.0/0"
		248 |   ip_protocol       = "-1"
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "SSH from the Bastion"
		254 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:144-161
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		144 | resource "aws_security_group" "backup_lambda" {
		145 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		146 |   description = "Bakcup Lambda Security Group"
		147 |   vpc_id      = data.aws_vpc.shared.id
		148 | 
		149 |   egress {
		150 |     description = "outbound access"
		151 |     from_port   = 0
		152 |     to_port     = 0
		153 |     protocol    = "-1"
		154 |     cidr_blocks = ["0.0.0.0/0"]
		155 |   }
		156 | 
		157 |   tags = merge(
		158 |     local.tags,
		159 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		160 |   )
		161 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:83-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		83 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		84 |   bucket = aws_s3_bucket.backup_lambda.id
		85 |   rule {
		86 |     object_ownership = "ObjectWriter"
		87 |   }
		88 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/app_servers.tf line 171:
 171: resource "time_sleep" "wait_app_userdata_scripts" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-06T12:01:27Z	INFO	[vulndb] Need to update DB
2025-02-06T12:01:27Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-06T12:01:27Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T12:01:29Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T12:01:29Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-06T12:01:29Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-06T12:01:29Z	INFO	[misconfig] Need to update the built-in checks
2025-02-06T12:01:29Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-06T12:01:30Z	INFO	[secret] Secret scanning is enabled
2025-02-06T12:01:30Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T12:01:30Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T12:01:31Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-06T12:01:31Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-06T12:01:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T12:01:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T12:01:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T12:01:33Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T12:01:35Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T12:01:35Z	INFO	Number of language-specific files	num=0
2025-02-06T12:01:35Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:205
   via database.tf:204-206 (metadata_options)
    via database.tf:193-222 (aws_instance.database)
────────────────────────────────────────
 193   resource "aws_instance" "database" {
 ...   
 205 [     http_tokens = "optional"
 ...   
 222   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:193-222
────────────────────────────────────────
 193 ┌ resource "aws_instance" "database" {
 194 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 195 │   availability_zone           = "eu-west-2a"
 196 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 197 │   monitoring                  = true
 198 │   vpc_security_group_ids      = [aws_security_group.database.id]
 199 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 200 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 201 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 temporarily deployed to contract-work-administration-development February 6, 2025 12:01 — with GitHub Actions Inactive
@vc13837 vc13837 had a problem deploying to contract-work-administration-development February 6, 2025 12:44 — with GitHub Actions Failure
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 6, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-06T12:45:29Z INFO [vulndb] Need to update DB
2025-02-06T12:45:29Z INFO [vulndb] Downloading vulnerability DB...
2025-02-06T12:45:29Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T12:45:32Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T12:45:32Z INFO [vuln] Vulnerability scanning is enabled
2025-02-06T12:45:32Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-06T12:45:32Z INFO [misconfig] Need to update the built-in checks
2025-02-06T12:45:32Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-06T12:45:32Z INFO [secret] Secret scanning is enabled
2025-02-06T12:45:32Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T12:45:32Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T12:45:33Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-06T12:45:33Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-06T12:45:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T12:45:35Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T12:45:35Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T12:45:35Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T12:45:37Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T12:45:38Z INFO Number of language-specific files num=0
2025-02-06T12:45:38Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:205
via database.tf:204-206 (metadata_options)
via database.tf:193-222 (aws_instance.database)
────────────────────────────────────────
193 resource "aws_instance" "database" {
...
205 [ http_tokens = "optional"
...
222 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:193-222
────────────────────────────────────────
193 ┌ resource "aws_instance" "database" {
194 │ ami = local.application_data.accounts[local.environment].db_ami_id
195 │ availability_zone = "eu-west-2a"
196 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
197 │ monitoring = true
198 │ vpc_security_group_ids = [aws_security_group.database.id]
199 │ subnet_id = data.aws_subnet.data_subnets_a.id
200 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
201 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-06 12:45:40,775 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 12:45:40,775 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 12:45:40,776 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 420, Failed checks: 58, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:193-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		193 | resource "aws_instance" "database" {
		194 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		195 |   availability_zone           = "eu-west-2a"
		196 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		197 |   monitoring                  = true
		198 |   vpc_security_group_ids      = [aws_security_group.database.id]
		199 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		200 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		201 |   key_name                    = aws_key_pair.cwa.key_name
		202 |   user_data_base64            = base64encode(local.db_userdata)
		203 |   user_data_replace_on_change = true
		204 |   metadata_options {
		205 |     http_tokens = "optional"
		206 |   }
		207 | 
		208 |   root_block_device {
		209 |     tags = merge(
		210 |       { "instance-scheduling" = "skip-scheduling" },
		211 |       local.tags,
		212 |       { "Name" = "${local.application_name_short}-database-root" }
		213 |     )
		214 |   }
		215 | 
		216 |   tags = merge(
		217 |     { "instance-scheduling" = "skip-scheduling" },
		218 |     local.tags,
		219 |     { "Name" = local.database_ec2_name }
		220 |   )
		221 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		222 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:193-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		193 | resource "aws_instance" "database" {
		194 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		195 |   availability_zone           = "eu-west-2a"
		196 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		197 |   monitoring                  = true
		198 |   vpc_security_group_ids      = [aws_security_group.database.id]
		199 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		200 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		201 |   key_name                    = aws_key_pair.cwa.key_name
		202 |   user_data_base64            = base64encode(local.db_userdata)
		203 |   user_data_replace_on_change = true
		204 |   metadata_options {
		205 |     http_tokens = "optional"
		206 |   }
		207 | 
		208 |   root_block_device {
		209 |     tags = merge(
		210 |       { "instance-scheduling" = "skip-scheduling" },
		211 |       local.tags,
		212 |       { "Name" = "${local.application_name_short}-database-root" }
		213 |     )
		214 |   }
		215 | 
		216 |   tags = merge(
		217 |     { "instance-scheduling" = "skip-scheduling" },
		218 |     local.tags,
		219 |     { "Name" = local.database_ec2_name }
		220 |   )
		221 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		222 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:245-249
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		245 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		246 |   security_group_id = aws_security_group.database.id
		247 |   cidr_ipv4         = "0.0.0.0/0"
		248 |   ip_protocol       = "-1"
		249 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:251-258
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		251 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		252 |   security_group_id            = aws_security_group.database.id
		253 |   description                  = "SSH from the Bastion"
		254 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		255 |   from_port                    = 22
		256 |   ip_protocol                  = "tcp"
		257 |   to_port                      = 22
		258 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:144-161
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		144 | resource "aws_security_group" "backup_lambda" {
		145 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		146 |   description = "Bakcup Lambda Security Group"
		147 |   vpc_id      = data.aws_vpc.shared.id
		148 | 
		149 |   egress {
		150 |     description = "outbound access"
		151 |     from_port   = 0
		152 |     to_port     = 0
		153 |     protocol    = "-1"
		154 |     cidr_blocks = ["0.0.0.0/0"]
		155 |   }
		156 | 
		157 |   tags = merge(
		158 |     local.tags,
		159 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		160 |   )
		161 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:420-436
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		420 | resource "aws_ebs_volume" "oradata" {
		421 |   availability_zone = "eu-west-2a"
		422 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		423 |   type              = "gp2"
		424 |   encrypted         = true
		425 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		426 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		427 | 
		428 |   lifecycle {
		429 |     ignore_changes = [kms_key_id]
		430 |   }
		431 | 
		432 |   tags = merge(
		433 |     local.tags,
		434 |     { "Name" = "${local.application_name_short}-database-oradata" },
		435 |   )
		436 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:444-460
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		444 | resource "aws_ebs_volume" "oracle" {
		445 |   availability_zone = "eu-west-2a"
		446 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		447 |   type              = "gp2"
		448 |   encrypted         = true
		449 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		450 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		451 | 
		452 |   lifecycle {
		453 |     ignore_changes = [kms_key_id]
		454 |   }
		455 | 
		456 |   tags = merge(
		457 |     local.tags,
		458 |     { "Name" = "${local.application_name_short}-database-oracle" },
		459 |   )
		460 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:468-484
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		468 | resource "aws_ebs_volume" "oraarch" {
		469 |   availability_zone = "eu-west-2a"
		470 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		471 |   type              = "gp2"
		472 |   encrypted         = true
		473 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		474 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		475 | 
		476 |   lifecycle {
		477 |     ignore_changes = [kms_key_id]
		478 |   }
		479 | 
		480 |   tags = merge(
		481 |     local.tags,
		482 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		483 |   )
		484 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:492-508
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		492 | resource "aws_ebs_volume" "oratmp" {
		493 |   availability_zone = "eu-west-2a"
		494 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		495 |   type              = "gp2"
		496 |   encrypted         = true
		497 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		498 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		499 | 
		500 |   lifecycle {
		501 |     ignore_changes = [kms_key_id]
		502 |   }
		503 | 
		504 |   tags = merge(
		505 |     local.tags,
		506 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		507 |   )
		508 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:516-532
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		516 | resource "aws_ebs_volume" "oraredo" {
		517 |   availability_zone = "eu-west-2a"
		518 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		519 |   type              = "gp2"
		520 |   encrypted         = true
		521 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		522 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		523 | 
		524 |   lifecycle {
		525 |     ignore_changes = [kms_key_id]
		526 |   }
		527 | 
		528 |   tags = merge(
		529 |     local.tags,
		530 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		531 |   )
		532 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:540-556
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		540 | resource "aws_ebs_volume" "share" {
		541 |   availability_zone = "eu-west-2a"
		542 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		543 |   type              = "gp2"
		544 |   encrypted         = true
		545 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		546 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		547 | 
		548 |   lifecycle {
		549 |     ignore_changes = [kms_key_id]
		550 |   }
		551 | 
		552 |   tags = merge(
		553 |     local.tags,
		554 |     { "Name" = "${local.application_name_short}-database-share" },
		555 |   )
		556 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:83-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		83 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		84 |   bucket = aws_s3_bucket.backup_lambda.id
		85 |   rule {
		86 |     object_ownership = "ObjectWriter"
		87 |   }
		88 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/concurrent_manager.tf line 150:
 150: resource "time_sleep" "wait_cm_custom_script" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-06T12:45:29Z	INFO	[vulndb] Need to update DB
2025-02-06T12:45:29Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-06T12:45:29Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T12:45:32Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T12:45:32Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-06T12:45:32Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-06T12:45:32Z	INFO	[misconfig] Need to update the built-in checks
2025-02-06T12:45:32Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-02-06T12:45:32Z	INFO	[secret] Secret scanning is enabled
2025-02-06T12:45:32Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T12:45:32Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T12:45:33Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-06T12:45:33Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-06T12:45:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T12:45:35Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T12:45:35Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T12:45:35Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T12:45:37Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T12:45:38Z	INFO	Number of language-specific files	num=0
2025-02-06T12:45:38Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:205
   via database.tf:204-206 (metadata_options)
    via database.tf:193-222 (aws_instance.database)
────────────────────────────────────────
 193   resource "aws_instance" "database" {
 ...   
 205 [     http_tokens = "optional"
 ...   
 222   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:193-222
────────────────────────────────────────
 193 ┌ resource "aws_instance" "database" {
 194 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 195 │   availability_zone           = "eu-west-2a"
 196 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 197 │   monitoring                  = true
 198 │   vpc_security_group_ids      = [aws_security_group.database.id]
 199 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 200 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 201 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development February 6, 2025 13:01 — with GitHub Actions Failure
@vc13837 vc13837 requested a review from a team as a code owner February 6, 2025 13:28
@vc13837 vc13837 deployed to contract-work-administration-development February 6, 2025 13:30 — with GitHub Actions Active
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 6, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-06T13:31:05Z INFO [vulndb] Need to update DB
2025-02-06T13:31:05Z INFO [vulndb] Downloading vulnerability DB...
2025-02-06T13:31:05Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T13:31:07Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T13:31:07Z INFO [vuln] Vulnerability scanning is enabled
2025-02-06T13:31:07Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-06T13:31:07Z INFO [misconfig] Need to update the built-in checks
2025-02-06T13:31:07Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-06T13:31:08Z INFO [secret] Secret scanning is enabled
2025-02-06T13:31:08Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T13:31:08Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T13:31:09Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-06T13:31:09Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-06T13:31:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T13:31:10Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T13:31:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T13:31:10Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T13:31:14Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T13:31:14Z INFO Number of language-specific files num=0
2025-02-06T13:31:14Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:208
via database.tf:207-209 (metadata_options)
via database.tf:196-225 (aws_instance.database)
────────────────────────────────────────
196 resource "aws_instance" "database" {
...
208 [ http_tokens = "optional"
...
225 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:196-225
────────────────────────────────────────
196 ┌ resource "aws_instance" "database" {
197 │ ami = local.application_data.accounts[local.environment].db_ami_id
198 │ availability_zone = "eu-west-2a"
199 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
200 │ monitoring = true
201 │ vpc_security_group_ids = [aws_security_group.database.id]
202 │ subnet_id = data.aws_subnet.data_subnets_a.id
203 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
204 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-06 13:31:16,577 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 13:31:16,577 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-06 13:31:16,577 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 420, Failed checks: 58, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:196-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		196 | resource "aws_instance" "database" {
		197 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		198 |   availability_zone           = "eu-west-2a"
		199 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		200 |   monitoring                  = true
		201 |   vpc_security_group_ids      = [aws_security_group.database.id]
		202 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		203 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		204 |   key_name                    = aws_key_pair.cwa.key_name
		205 |   user_data_base64            = base64encode(local.db_userdata)
		206 |   user_data_replace_on_change = true
		207 |   metadata_options {
		208 |     http_tokens = "optional"
		209 |   }
		210 | 
		211 |   root_block_device {
		212 |     tags = merge(
		213 |       { "instance-scheduling" = "skip-scheduling" },
		214 |       local.tags,
		215 |       { "Name" = "${local.application_name_short}-database-root" }
		216 |     )
		217 |   }
		218 | 
		219 |   tags = merge(
		220 |     { "instance-scheduling" = "skip-scheduling" },
		221 |     local.tags,
		222 |     { "Name" = local.database_ec2_name }
		223 |   )
		224 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		225 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:196-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		196 | resource "aws_instance" "database" {
		197 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		198 |   availability_zone           = "eu-west-2a"
		199 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		200 |   monitoring                  = true
		201 |   vpc_security_group_ids      = [aws_security_group.database.id]
		202 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		203 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		204 |   key_name                    = aws_key_pair.cwa.key_name
		205 |   user_data_base64            = base64encode(local.db_userdata)
		206 |   user_data_replace_on_change = true
		207 |   metadata_options {
		208 |     http_tokens = "optional"
		209 |   }
		210 | 
		211 |   root_block_device {
		212 |     tags = merge(
		213 |       { "instance-scheduling" = "skip-scheduling" },
		214 |       local.tags,
		215 |       { "Name" = "${local.application_name_short}-database-root" }
		216 |     )
		217 |   }
		218 | 
		219 |   tags = merge(
		220 |     { "instance-scheduling" = "skip-scheduling" },
		221 |     local.tags,
		222 |     { "Name" = local.database_ec2_name }
		223 |   )
		224 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		225 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:248-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		248 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		249 |   security_group_id = aws_security_group.database.id
		250 |   cidr_ipv4         = "0.0.0.0/0"
		251 |   ip_protocol       = "-1"
		252 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:254-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		254 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		255 |   security_group_id            = aws_security_group.database.id
		256 |   description                  = "SSH from the Bastion"
		257 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		258 |   from_port                    = 22
		259 |   ip_protocol                  = "tcp"
		260 |   to_port                      = 22
		261 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:144-161
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		144 | resource "aws_security_group" "backup_lambda" {
		145 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		146 |   description = "Bakcup Lambda Security Group"
		147 |   vpc_id      = data.aws_vpc.shared.id
		148 | 
		149 |   egress {
		150 |     description = "outbound access"
		151 |     from_port   = 0
		152 |     to_port     = 0
		153 |     protocol    = "-1"
		154 |     cidr_blocks = ["0.0.0.0/0"]
		155 |   }
		156 | 
		157 |   tags = merge(
		158 |     local.tags,
		159 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		160 |   )
		161 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:423-439
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		423 | resource "aws_ebs_volume" "oradata" {
		424 |   availability_zone = "eu-west-2a"
		425 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		426 |   type              = "gp2"
		427 |   encrypted         = true
		428 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		429 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		430 | 
		431 |   lifecycle {
		432 |     ignore_changes = [kms_key_id]
		433 |   }
		434 | 
		435 |   tags = merge(
		436 |     local.tags,
		437 |     { "Name" = "${local.application_name_short}-database-oradata" },
		438 |   )
		439 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:447-463
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		447 | resource "aws_ebs_volume" "oracle" {
		448 |   availability_zone = "eu-west-2a"
		449 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		450 |   type              = "gp2"
		451 |   encrypted         = true
		452 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		453 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		454 | 
		455 |   lifecycle {
		456 |     ignore_changes = [kms_key_id]
		457 |   }
		458 | 
		459 |   tags = merge(
		460 |     local.tags,
		461 |     { "Name" = "${local.application_name_short}-database-oracle" },
		462 |   )
		463 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:471-487
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		471 | resource "aws_ebs_volume" "oraarch" {
		472 |   availability_zone = "eu-west-2a"
		473 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		474 |   type              = "gp2"
		475 |   encrypted         = true
		476 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		477 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		478 | 
		479 |   lifecycle {
		480 |     ignore_changes = [kms_key_id]
		481 |   }
		482 | 
		483 |   tags = merge(
		484 |     local.tags,
		485 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		486 |   )
		487 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:495-511
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		495 | resource "aws_ebs_volume" "oratmp" {
		496 |   availability_zone = "eu-west-2a"
		497 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		498 |   type              = "gp2"
		499 |   encrypted         = true
		500 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		501 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		502 | 
		503 |   lifecycle {
		504 |     ignore_changes = [kms_key_id]
		505 |   }
		506 | 
		507 |   tags = merge(
		508 |     local.tags,
		509 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		510 |   )
		511 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:519-535
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		519 | resource "aws_ebs_volume" "oraredo" {
		520 |   availability_zone = "eu-west-2a"
		521 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		522 |   type              = "gp2"
		523 |   encrypted         = true
		524 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		525 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		526 | 
		527 |   lifecycle {
		528 |     ignore_changes = [kms_key_id]
		529 |   }
		530 | 
		531 |   tags = merge(
		532 |     local.tags,
		533 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		534 |   )
		535 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:543-559
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		543 | resource "aws_ebs_volume" "share" {
		544 |   availability_zone = "eu-west-2a"
		545 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		546 |   type              = "gp2"
		547 |   encrypted         = true
		548 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		549 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		550 | 
		551 |   lifecycle {
		552 |     ignore_changes = [kms_key_id]
		553 |   }
		554 | 
		555 |   tags = merge(
		556 |     local.tags,
		557 |     { "Name" = "${local.application_name_short}-database-share" },
		558 |   )
		559 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:83-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		83 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		84 |   bucket = aws_s3_bucket.backup_lambda.id
		85 |   rule {
		86 |     object_ownership = "ObjectWriter"
		87 |   }
		88 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/lambda.tf line 135:
 135: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-06T13:31:05Z	INFO	[vulndb] Need to update DB
2025-02-06T13:31:05Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-06T13:31:05Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T13:31:07Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-06T13:31:07Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-06T13:31:07Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-06T13:31:07Z	INFO	[misconfig] Need to update the built-in checks
2025-02-06T13:31:07Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-06T13:31:08Z	INFO	[secret] Secret scanning is enabled
2025-02-06T13:31:08Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-06T13:31:08Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-06T13:31:09Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-06T13:31:09Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-06T13:31:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-06T13:31:10Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-06T13:31:10Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T13:31:10Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-06T13:31:14Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-06T13:31:14Z	INFO	Number of language-specific files	num=0
2025-02-06T13:31:14Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:208
   via database.tf:207-209 (metadata_options)
    via database.tf:196-225 (aws_instance.database)
────────────────────────────────────────
 196   resource "aws_instance" "database" {
 ...   
 208 [     http_tokens = "optional"
 ...   
 225   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:196-225
────────────────────────────────────────
 196 ┌ resource "aws_instance" "database" {
 197 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 198 │   availability_zone           = "eu-west-2a"
 199 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 200 │   monitoring                  = true
 201 │   vpc_security_group_ids      = [aws_security_group.database.id]
 202 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 203 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 204 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development February 7, 2025 09:41 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Feb 7, 2025

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/contract-work-administration

Running Trivy in terraform/environments/contract-work-administration
2025-02-07T09:42:25Z INFO [vulndb] Need to update DB
2025-02-07T09:42:25Z INFO [vulndb] Downloading vulnerability DB...
2025-02-07T09:42:25Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-07T09:42:28Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-07T09:42:28Z INFO [vuln] Vulnerability scanning is enabled
2025-02-07T09:42:28Z INFO [misconfig] Misconfiguration scanning is enabled
2025-02-07T09:42:28Z INFO [misconfig] Need to update the built-in checks
2025-02-07T09:42:28Z INFO [misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-07T09:42:29Z INFO [secret] Secret scanning is enabled
2025-02-07T09:42:29Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-07T09:42:29Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-07T09:42:30Z INFO [terraform scanner] Scanning root module file_path="."
2025-02-07T09:42:30Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-02-07T09:42:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-07T09:42:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-07T09:42:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-07T09:42:32Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-07T09:42:34Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-07T09:42:34Z INFO Number of language-specific files num=0
2025-02-07T09:42:34Z INFO Detected config files num=10

alb.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
alb.tf:130-153
────────────────────────────────────────
130 ┌ resource "aws_lb" "external" {
131 │ name = "${upper(local.application_name_short)}-LoadBalancer"
132 │ internal = false
133 │ load_balancer_type = "application"
134 │ security_groups = [aws_security_group.external_lb.id]
135 │ subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
136 │ enable_deletion_protection = local.lb_enable_deletion_protection
137 │ idle_timeout = local.external_lb_idle_timeout
138 └ enable_http2 = false
...
────────────────────────────────────────

AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.

See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
alb.tf:132
via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
130 resource "aws_lb" "external" {
...
132 [ internal = false
...
153 }
────────────────────────────────────────

app_servers.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:193
via app_servers.tf:192-194 (metadata_options)
via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
181 resource "aws_instance" "app1" {
...
193 [ http_tokens = "optional"
...
213 }
────────────────────────────────────────

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
app_servers.tf:228
via app_servers.tf:227-229 (metadata_options)
via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
215 resource "aws_instance" "app2" {
...
228 [ http_tokens = "optional"
...
248 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:181-213
────────────────────────────────────────
181 ┌ resource "aws_instance" "app1" {
182 │ ami = local.application_data.accounts[local.environment].app_ami_id
183 │ availability_zone = "eu-west-2a"
184 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
185 │ monitoring = true
186 │ vpc_security_group_ids = [aws_security_group.app.id]
187 │ subnet_id = data.aws_subnet.private_subnets_a.id
188 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
189 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
app_servers.tf:215-248
────────────────────────────────────────
215 ┌ resource "aws_instance" "app2" {
216 │ count = contains(["development2", "testing"], local.environment) ? 0 : 1
217 │ ami = local.application_data.accounts[local.environment].app_ami_id
218 │ availability_zone = "eu-west-2a"
219 │ instance_type = local.application_data.accounts[local.environment].app_instance_type
220 │ monitoring = true
221 │ vpc_security_group_ids = [aws_security_group.app.id]
222 │ subnet_id = data.aws_subnet.private_subnets_a.id
223 └ iam_instance_profile = aws_iam_instance_profile.cwa.id
...
────────────────────────────────────────

concurrent_manager.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
concurrent_manager.tf:171
via concurrent_manager.tf:170-172 (metadata_options)
via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
159 resource "aws_instance" "concurrent_manager" {
...
171 [ http_tokens = "optional"
...
191 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
concurrent_manager.tf:159-191
────────────────────────────────────────
159 ┌ resource "aws_instance" "concurrent_manager" {
160 │ ami = local.application_data.accounts[local.environment].cm_ami_id
161 │ availability_zone = "eu-west-2a"
162 │ instance_type = local.application_data.accounts[local.environment].cm_instance_type
163 │ monitoring = true
164 │ vpc_security_group_ids = [aws_security_group.concurrent_manager.id]
165 │ subnet_id = data.aws_subnet.private_subnets_a.id
166 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
167 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

database.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
database.tf:208
via database.tf:207-209 (metadata_options)
via database.tf:196-225 (aws_instance.database)
────────────────────────────────────────
196 resource "aws_instance" "database" {
...
208 [ http_tokens = "optional"
...
225 }
────────────────────────────────────────

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
database.tf:196-225
────────────────────────────────────────
196 ┌ resource "aws_instance" "database" {
197 │ ami = local.application_data.accounts[local.environment].db_ami_id
198 │ availability_zone = "eu-west-2a"
199 │ instance_type = local.application_data.accounts[local.environment].db_instance_type
200 │ monitoring = true
201 │ vpc_security_group_ids = [aws_security_group.database.id]
202 │ subnet_id = data.aws_subnet.data_subnets_a.id
203 │ iam_instance_profile = aws_iam_instance_profile.cwa.id
204 └ key_name = aws_key_pair.cwa.key_name
...
────────────────────────────────────────

lambda.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
lambda.tf:75-81
────────────────────────────────────────
75 ┌ resource "aws_s3_bucket" "backup_lambda" {
76 │ bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
77 │ tags = merge(
78 │ local.tags,
79 │ { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
80 │ )
81 └ }
────────────────────────────────────────

s3.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:5-11
────────────────────────────────────────
5 ┌ resource "aws_s3_bucket" "scripts" {
6 │ bucket = "${local.application_name_short}-${local.environment}-scripts"
7 │ tags = merge(
8 │ local.tags,
9 │ { Name = "${local.application_name_short}-${local.environment}-scripts" }
10 │ )
11 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Checkov in terraform/environments/contract-work-administration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-02-07 09:42:37,599 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-07 09:42:37,599 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2025-02-07 09:42:37,599 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 420, Failed checks: 58, Skipped checks: 0

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.load_balancer
	File: /acm_certificate.tf:19-28
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		19 | resource "aws_acm_certificate" "load_balancer" {
		20 |   domain_name               = "modernisation-platform.service.justice.gov.uk"
		21 |   validation_method         = "DNS"
		22 |   subject_alternative_names = local.environment == "production" ? null : ["${local.application_name_short}.${data.aws_route53_zone.external.name}"]
		23 |   tags                      = local.tags
		24 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		25 |   lifecycle {
		26 |     prevent_destroy = false
		27 |   }
		28 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: elb-logs-s3
	File: /alb.tf:12-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.external
	File: /alb.tf:130-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		130 | resource "aws_lb" "external" {
		131 |   name                       = "${upper(local.application_name_short)}-LoadBalancer"
		132 |   internal                   = false
		133 |   load_balancer_type         = "application"
		134 |   security_groups            = [aws_security_group.external_lb.id]
		135 |   subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
		136 |   enable_deletion_protection = local.lb_enable_deletion_protection
		137 |   idle_timeout               = local.external_lb_idle_timeout
		138 |   enable_http2               = false
		139 |   # drop_invalid_header_fields = true
		140 | 
		141 |   access_logs {
		142 |     bucket  = local.lb_logs_bucket != "" ? local.lb_logs_bucket : module.elb-logs-s3[0].bucket.id
		143 |     prefix  = "${local.application_name}-LoadBalancer"
		144 |     enabled = true
		145 |   }
		146 | 
		147 |   tags = merge(
		148 |     local.tags,
		149 |     {
		150 |       Name = "${local.application_name}-LoadBalancer"
		151 |     },
		152 |   )
		153 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.external_lb_inbound
	File: /alb.tf:242-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		242 | resource "aws_vpc_security_group_ingress_rule" "external_lb_inbound" {
		243 |   security_group_id = aws_security_group.external_lb.id
		244 |   cidr_ipv4         = "0.0.0.0/0"
		245 |   from_port         = 443
		246 |   ip_protocol       = "tcp"
		247 |   to_port           = 443
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.external_lb_outbound
	File: /alb.tf:250-254
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		250 | resource "aws_vpc_security_group_egress_rule" "external_lb_outbound" {
		251 |   security_group_id = aws_security_group.external_lb.id
		252 |   cidr_ipv4         = "0.0.0.0/0"
		253 |   ip_protocol       = "-1"
		254 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app1
	File: /app_servers.tf:181-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		181 | resource "aws_instance" "app1" {
		182 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		183 |   availability_zone           = "eu-west-2a"
		184 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		185 |   monitoring                  = true
		186 |   vpc_security_group_ids      = [aws_security_group.app.id]
		187 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		188 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		189 |   key_name                    = aws_key_pair.cwa.key_name
		190 |   user_data_base64            = base64encode(local.app_userdata)
		191 |   user_data_replace_on_change = true
		192 |   metadata_options {
		193 |     http_tokens = "optional"
		194 |   }
		195 | 
		196 |   root_block_device {
		197 |     tags = merge(
		198 |       { "instance-scheduling" = "skip-scheduling" },
		199 |       local.tags,
		200 |       { "Name" = "${local.application_name_short}-app1-root" }
		201 |     )
		202 |   }
		203 | 
		204 |   tags = merge(
		205 |     { "instance-scheduling" = "skip-scheduling" },
		206 |     local.tags,
		207 |     { "Name" = local.appserver1_ec2_name },
		208 |     { "snapshot-with-daily-35-day-retention" = "yes" }
		209 |   )
		210 | 
		211 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		212 | 
		213 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.app2
	File: /app_servers.tf:215-248
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		215 | resource "aws_instance" "app2" {
		216 |   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
		217 |   ami                         = local.application_data.accounts[local.environment].app_ami_id
		218 |   availability_zone           = "eu-west-2a"
		219 |   instance_type               = local.application_data.accounts[local.environment].app_instance_type
		220 |   monitoring                  = true
		221 |   vpc_security_group_ids      = [aws_security_group.app.id]
		222 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		223 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		224 |   key_name                    = aws_key_pair.cwa.key_name
		225 |   user_data_base64            = base64encode(local.app_userdata)
		226 |   user_data_replace_on_change = false
		227 |   metadata_options {
		228 |     http_tokens = "optional"
		229 |   }
		230 | 
		231 |   root_block_device {
		232 |     tags = merge(
		233 |       { "instance-scheduling" = "skip-scheduling" },
		234 |       local.tags,
		235 |       { "Name" = "${local.application_name_short}-app2-root" }
		236 |     )
		237 |   }
		238 | 
		239 |   tags = merge(
		240 |     { "instance-scheduling" = "skip-scheduling" },
		241 |     local.tags,
		242 |     { "Name" = "${upper(local.application_name_short)} App Instance 2" },
		243 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "no" } : { "snapshot-with-hourly-35-day-retention" = "yes" }
		244 |   )
		245 | 
		246 |   depends_on = [time_sleep.wait_app_userdata_scripts] # This resource creation will be delayed to ensure object exists in the bucket
		247 | 
		248 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.app_outbound
	File: /app_servers.tf:266-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		266 | resource "aws_vpc_security_group_egress_rule" "app_outbound" {
		267 |   security_group_id = aws_security_group.app.id
		268 |   cidr_ipv4         = "0.0.0.0/0"
		269 |   ip_protocol       = "-1"
		270 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.app_bastion_ssh
	File: /app_servers.tf:272-279
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		272 | resource "aws_vpc_security_group_ingress_rule" "app_bastion_ssh" {
		273 |   security_group_id            = aws_security_group.app.id
		274 |   description                  = "SSH from the Bastion"
		275 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		276 |   from_port                    = 22
		277 |   ip_protocol                  = "tcp"
		278 |   to_port                      = 22
		279 | }

Check: CKV_AWS_166: "Ensure Backup Vault is encrypted at rest using KMS CMK"
	FAILED for resource: aws_backup_vault.cwa
	File: /backups.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-backup-vault-is-encrypted-at-rest-using-kms-cmk

		1 | resource "aws_backup_vault" "cwa" {
		2 |   name = "${local.application_name_short}-backup-vault"
		3 |   tags = merge(
		4 |     local.tags,
		5 |     { "Name" = "${local.application_name_short}-backup-vault" },
		6 |   )
		7 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: bastion_linux
	File: /bastion.tf:5-32
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "bastion_linux" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0"
		7  | 
		8  |   providers = {
		9  |     aws.share-host   = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts
		10 |     aws.share-tenant = aws          # The default provider (unaliased, `aws`) is the tenant
		11 |   }
		12 |   # s3 - used for logs and user ssh public keys
		13 |   bucket_name = "bastion-${local.application_name_short}"
		14 |   # public keys
		15 |   public_key_data = local.public_key_data.keys[local.environment]
		16 |   # logs
		17 |   log_auto_clean       = "Enabled"
		18 |   log_standard_ia_days = 30  # days before moving to IA storage
		19 |   log_glacier_days     = 60  # days before moving to Glacier
		20 |   log_expiry_days      = 180 # days before log expiration
		21 |   # bastion
		22 |   allow_ssh_commands = false
		23 |   app_name           = var.networking[0].application
		24 |   business_unit      = local.vpc_name
		25 |   subnet_set         = local.subnet_set
		26 |   environment        = local.environment
		27 |   region             = "eu-west-2"
		28 | 
		29 |   # Tags
		30 |   tags_common = local.tags
		31 |   tags_prefix = terraform.workspace
		32 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.concurrent_manager
	File: /concurrent_manager.tf:159-191
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		159 | resource "aws_instance" "concurrent_manager" {
		160 |   ami                         = local.application_data.accounts[local.environment].cm_ami_id
		161 |   availability_zone           = "eu-west-2a"
		162 |   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
		163 |   monitoring                  = true
		164 |   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
		165 |   subnet_id                   = data.aws_subnet.private_subnets_a.id
		166 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		167 |   key_name                    = aws_key_pair.cwa.key_name
		168 |   user_data_base64            = base64encode(local.cm_userdata)
		169 |   user_data_replace_on_change = true
		170 |   metadata_options {
		171 |     http_tokens = "optional"
		172 |   }
		173 | 
		174 |   root_block_device {
		175 |     tags = merge(
		176 |       { "instance-scheduling" = "skip-scheduling" },
		177 |       local.tags,
		178 |       { "Name" = "${local.application_name_short}-concurrent-manager-root" }
		179 |     )
		180 |   }
		181 | 
		182 |   tags = merge(
		183 |     { "instance-scheduling" = "skip-scheduling" },
		184 |     local.tags,
		185 |     { "Name" = local.cm_ec2_name },
		186 |     local.environment != "production" ? { "snapshot-with-daily-35-day-retention" = "yes" } : { "snapshot-with-daily-35-day-retention" = "yes" }
		187 |   )
		188 | 
		189 |   depends_on = [time_sleep.wait_cm_custom_script] # This resource creation will be delayed to ensure object exists in the bucket
		190 | 
		191 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.cm_outbound
	File: /concurrent_manager.tf:209-213
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		209 | resource "aws_vpc_security_group_egress_rule" "cm_outbound" {
		210 |   security_group_id = aws_security_group.concurrent_manager.id
		211 |   cidr_ipv4         = "0.0.0.0/0"
		212 |   ip_protocol       = "-1"
		213 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.cm_bastion_ssh
	File: /concurrent_manager.tf:215-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		215 | resource "aws_vpc_security_group_ingress_rule" "cm_bastion_ssh" {
		216 |   security_group_id            = aws_security_group.concurrent_manager.id
		217 |   description                  = "SSH from the Bastion"
		218 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		219 |   from_port                    = 22
		220 |   ip_protocol                  = "tcp"
		221 |   to_port                      = 22
		222 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.database
	File: /database.tf:196-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		196 | resource "aws_instance" "database" {
		197 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		198 |   availability_zone           = "eu-west-2a"
		199 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		200 |   monitoring                  = true
		201 |   vpc_security_group_ids      = [aws_security_group.database.id]
		202 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		203 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		204 |   key_name                    = aws_key_pair.cwa.key_name
		205 |   user_data_base64            = base64encode(local.db_userdata)
		206 |   user_data_replace_on_change = true
		207 |   metadata_options {
		208 |     http_tokens = "optional"
		209 |   }
		210 | 
		211 |   root_block_device {
		212 |     tags = merge(
		213 |       { "instance-scheduling" = "skip-scheduling" },
		214 |       local.tags,
		215 |       { "Name" = "${local.application_name_short}-database-root" }
		216 |     )
		217 |   }
		218 | 
		219 |   tags = merge(
		220 |     { "instance-scheduling" = "skip-scheduling" },
		221 |     local.tags,
		222 |     { "Name" = local.database_ec2_name }
		223 |   )
		224 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		225 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.database
	File: /database.tf:196-225
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		196 | resource "aws_instance" "database" {
		197 |   ami                         = local.application_data.accounts[local.environment].db_ami_id
		198 |   availability_zone           = "eu-west-2a"
		199 |   instance_type               = local.application_data.accounts[local.environment].db_instance_type
		200 |   monitoring                  = true
		201 |   vpc_security_group_ids      = [aws_security_group.database.id]
		202 |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		203 |   iam_instance_profile        = aws_iam_instance_profile.cwa.id
		204 |   key_name                    = aws_key_pair.cwa.key_name
		205 |   user_data_base64            = base64encode(local.db_userdata)
		206 |   user_data_replace_on_change = true
		207 |   metadata_options {
		208 |     http_tokens = "optional"
		209 |   }
		210 | 
		211 |   root_block_device {
		212 |     tags = merge(
		213 |       { "instance-scheduling" = "skip-scheduling" },
		214 |       local.tags,
		215 |       { "Name" = "${local.application_name_short}-database-root" }
		216 |     )
		217 |   }
		218 | 
		219 |   tags = merge(
		220 |     { "instance-scheduling" = "skip-scheduling" },
		221 |     local.tags,
		222 |     { "Name" = local.database_ec2_name }
		223 |   )
		224 |   depends_on = [time_sleep.wait_db_userdata_scripts]
		225 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.db_outbound
	File: /database.tf:248-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		248 | resource "aws_vpc_security_group_egress_rule" "db_outbound" {
		249 |   security_group_id = aws_security_group.database.id
		250 |   cidr_ipv4         = "0.0.0.0/0"
		251 |   ip_protocol       = "-1"
		252 | }

Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22"
	FAILED for resource: aws_vpc_security_group_ingress_rule.db_bastion_ssh
	File: /database.tf:254-261
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security

		254 | resource "aws_vpc_security_group_ingress_rule" "db_bastion_ssh" {
		255 |   security_group_id            = aws_security_group.database.id
		256 |   description                  = "SSH from the Bastion"
		257 |   referenced_security_group_id = module.bastion_linux.bastion_security_group
		258 |   from_port                    = 22
		259 |   ip_protocol                  = "tcp"
		260 |   to_port                      = 22
		261 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cwa
	File: /ec2_iam_profile.tf:44-108
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.backup_lambda
	File: /lambda.tf:31-64
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		31 | resource "aws_iam_policy" "backup_lambda" { #tfsec:ignore:aws-iam-no-policy-wildcards
		32 |   name = "${local.application_name_short}-${local.environment}-backup-lambda-policy"
		33 |   tags = merge(
		34 |     local.tags,
		35 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-policy" }
		36 |   )
		37 |   policy = <<EOF
		38 | {
		39 |     "Version" : "2012-10-17",
		40 |     "Statement": [
		41 |         {
		42 |             "Action": [
		43 |                 "ec2:CreateNetworkInterface",
		44 |                 "ec2:DescribeNetworkInterfaces",
		45 |                 "ec2:DeleteNetworkInterface",
		46 |                 "ec2:DeleteSnapshot",
		47 |                 "ec2:DescribeSubnets",
		48 |                 "ec2:DescribeVpcs",
		49 |                 "ec2:DescribeInstances",
		50 |                 "ec2:DescribeAddresses",
		51 |                 "ec2:DescribeInstanceStatus",
		52 |                 "ec2:DescribeVolumes",
		53 |                 "ec2:DescribeSnapshots",
		54 |                 "logs:CreateLogGroup",
		55 |                 "logs:CreateLogStream",
		56 |                 "logs:PutLogEvents"
		57 |             ],
		58 |             "Resource": "*",
		59 |             "Effect": "Allow"
		60 |         }
		61 |     ]
		62 | }
		63 | EOF
		64 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.backup_lambda
	File: /lambda.tf:144-161
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-382

		144 | resource "aws_security_group" "backup_lambda" {
		145 |   name        = "${local.application_name_short}-${local.environment}-backup-lambda-security-group"
		146 |   description = "Bakcup Lambda Security Group"
		147 |   vpc_id      = data.aws_vpc.shared.id
		148 | 
		149 |   egress {
		150 |     description = "outbound access"
		151 |     from_port   = 0
		152 |     to_port     = 0
		153 |     protocol    = "-1"
		154 |     cidr_blocks = ["0.0.0.0/0"]
		155 |   }
		156 | 
		157 |   tags = merge(
		158 |     local.tags,
		159 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda-security-group" }
		160 |   )
		161 | }

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: aws_lambda_function.delete_db_snapshots
	File: /lambda.tf:163-185
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		163 | resource "aws_lambda_function" "delete_db_snapshots" {
		164 | 
		165 |   description      = "Clean up script to delete old unused snapshots"
		166 |   function_name    = "deletesnapshotFunction"
		167 |   role             = aws_iam_role.backup_lambda.arn
		168 |   handler          = "deletesnapshots.lambda_handler"
		169 |   source_code_hash = data.archive_file.delete_db_snapshots.output_base64sha256
		170 |   runtime          = "python3.8"
		171 |   s3_bucket        = aws_s3_bucket.backup_lambda.id
		172 |   s3_key           = "${local.delete_db_snapshots_script_prefix}.zip"
		173 |   memory_size      = 3000
		174 |   timeout          = 900
		175 |   depends_on       = [time_sleep.wait_for_provision_files] # This resource creation will be delayed to ensure object exists in the bucket
		176 | 
		177 |   vpc_config {
		178 |     security_group_ids = [aws_security_group.backup_lambda.id]
		179 |     subnet_ids         = [data.aws_subnet.data_subnets_a.id]
		180 |   }
		181 |   tags = merge(
		182 |     local.tags,
		183 |     { Name = "${local.application_name_short}-${local.environment}-lambda-delete-snapshots" }
		184 |   )
		185 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /sns.tf:34-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		34 | module "pagerduty_core_alerts" {
		35 |   depends_on = [
		36 |     aws_sns_topic.cwa
		37 |   ]
		38 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		39 |   sns_topics                = [aws_sns_topic.cwa.name]
		40 |   pagerduty_integration_key = local.pagerduty_integration_keys[local.pagerduty_integration_key_name]
		41 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cwa
	File: /sns.tf:6-14
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		6  | resource "aws_sns_topic" "cwa" {
		7  |   name = "${local.application_name_short}-${local.environment}-alerting-topic"
		8  |   tags = merge(
		9  |     local.tags,
		10 |     {
		11 |       Name = "${local.application_name_short}-${local.environment}-alerting-topic"
		12 |     }
		13 |   )
		14 | }

Check: CKV_AWS_124: "Ensure that CloudFormation stacks are sending event notifications to an SNS topic"
	FAILED for resource: aws_cloudformation_stack.wafv2
	File: /waf.tf:324-333
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-cloudformation-stacks-are-sending-event-notifications-to-an-sns-topic

		324 | resource "aws_cloudformation_stack" "wafv2" {
		325 |   name = "${local.application_name_short}-wafv2"
		326 |   parameters = {
		327 |     pEnvironment    = local.environment
		328 |     pAppName        = upper(local.application_name_short)
		329 |     pIsProd         = local.environment == "production" ? "true" : "false"
		330 |     pIPWhiteListArn = aws_wafv2_ip_set.moj_whitelist.arn
		331 |   }
		332 |   template_body = file("${path.module}/wafv2.template")
		333 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.wafv2
	File: /waf.tf:340-351
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		340 | resource "aws_cloudwatch_log_group" "wafv2" {
		341 |   count             = local.environment != "production" ? 1 : 0
		342 |   name              = "aws-waf-logs-${local.application_name_short}"
		343 |   retention_in_days = 7
		344 |   tags = merge(
		345 |     local.tags,
		346 |     {
		347 |       Name = "aws-waf-logs-${local.application_name_short}"
		348 |     },
		349 |   )
		350 | 
		351 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app1
	File: /app_servers.tf:386-405
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		386 | resource "aws_ebs_volume" "app1" {
		387 |   availability_zone = "eu-west-2a"
		388 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		389 |   type              = "gp2"
		390 |   encrypted         = true
		391 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		392 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		393 | 
		394 |   lifecycle {
		395 |     replace_triggered_by = [
		396 |       aws_instance.app1.id
		397 |     ]
		398 |     ignore_changes = [kms_key_id]
		399 |   }
		400 | 
		401 |   tags = merge(
		402 |     local.tags,
		403 |     { "Name" = "${local.application_name_short}-app1-data" },
		404 |   )
		405 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.app2
	File: /app_servers.tf:413-430
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		413 | resource "aws_ebs_volume" "app2" {
		414 |   count             = contains(["development2", "testing"], local.environment) ? 0 : 1
		415 |   availability_zone = "eu-west-2a"
		416 |   size              = local.application_data.accounts[local.environment].ebs_app_size
		417 |   type              = "gp2"
		418 |   encrypted         = true
		419 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		420 |   snapshot_id       = local.application_data.accounts[local.environment].app_snapshot_id # This is used for when data is being migrated
		421 | 
		422 |   lifecycle {
		423 |     ignore_changes = [kms_key_id]
		424 |   }
		425 | 
		426 |   tags = merge(
		427 |     local.tags,
		428 |     { "Name" = "${local.application_name_short}-app2-data" },
		429 |   )
		430 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.concurrent_manager
	File: /concurrent_manager.tf:246-265
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		246 | resource "aws_ebs_volume" "concurrent_manager" {
		247 |   availability_zone = "eu-west-2a"
		248 |   size              = local.application_data.accounts[local.environment].ebs_concurrent_manager_size
		249 |   type              = "gp2"
		250 |   encrypted         = true
		251 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		252 |   snapshot_id       = local.application_data.accounts[local.environment].concurrent_manager_snapshot_id # This is used for when data is being migrated
		253 | 
		254 |   lifecycle {
		255 |     replace_triggered_by = [
		256 |       aws_instance.concurrent_manager.id
		257 |     ]
		258 |     ignore_changes = [kms_key_id]
		259 |   }
		260 | 
		261 |   tags = merge(
		262 |     local.tags,
		263 |     { "Name" = "${local.application_name_short}-concurrent-manager-data" },
		264 |   )
		265 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oradata
	File: /database.tf:423-439
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		423 | resource "aws_ebs_volume" "oradata" {
		424 |   availability_zone = "eu-west-2a"
		425 |   size              = local.application_data.accounts[local.environment].ebs_oradata_size
		426 |   type              = "gp2"
		427 |   encrypted         = true
		428 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		429 |   snapshot_id       = local.application_data.accounts[local.environment].oradata_snapshot_id # This is used for when data is being migrated
		430 | 
		431 |   lifecycle {
		432 |     ignore_changes = [kms_key_id]
		433 |   }
		434 | 
		435 |   tags = merge(
		436 |     local.tags,
		437 |     { "Name" = "${local.application_name_short}-database-oradata" },
		438 |   )
		439 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oracle
	File: /database.tf:447-463
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		447 | resource "aws_ebs_volume" "oracle" {
		448 |   availability_zone = "eu-west-2a"
		449 |   size              = local.application_data.accounts[local.environment].ebs_oracle_size
		450 |   type              = "gp2"
		451 |   encrypted         = true
		452 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		453 |   snapshot_id       = local.application_data.accounts[local.environment].oracle_snapshot_id # This is used for when data is being migrated
		454 | 
		455 |   lifecycle {
		456 |     ignore_changes = [kms_key_id]
		457 |   }
		458 | 
		459 |   tags = merge(
		460 |     local.tags,
		461 |     { "Name" = "${local.application_name_short}-database-oracle" },
		462 |   )
		463 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraarch
	File: /database.tf:471-487
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		471 | resource "aws_ebs_volume" "oraarch" {
		472 |   availability_zone = "eu-west-2a"
		473 |   size              = local.application_data.accounts[local.environment].ebs_oraarch_size
		474 |   type              = "gp2"
		475 |   encrypted         = true
		476 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		477 |   snapshot_id       = local.application_data.accounts[local.environment].oraarch_snapshot_id # This is used for when data is being migrated
		478 | 
		479 |   lifecycle {
		480 |     ignore_changes = [kms_key_id]
		481 |   }
		482 | 
		483 |   tags = merge(
		484 |     local.tags,
		485 |     { "Name" = "${local.application_name_short}-database-oraarch" },
		486 |   )
		487 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oratmp
	File: /database.tf:495-511
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		495 | resource "aws_ebs_volume" "oratmp" {
		496 |   availability_zone = "eu-west-2a"
		497 |   size              = local.application_data.accounts[local.environment].ebs_oratmp_size
		498 |   type              = "gp2"
		499 |   encrypted         = true
		500 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		501 |   snapshot_id       = local.application_data.accounts[local.environment].oratmp_snapshot_id # This is used for when data is being migrated
		502 | 
		503 |   lifecycle {
		504 |     ignore_changes = [kms_key_id]
		505 |   }
		506 | 
		507 |   tags = merge(
		508 |     local.tags,
		509 |     { "Name" = "${local.application_name_short}-database-oratmp" },
		510 |   )
		511 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.oraredo
	File: /database.tf:519-535
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		519 | resource "aws_ebs_volume" "oraredo" {
		520 |   availability_zone = "eu-west-2a"
		521 |   size              = local.application_data.accounts[local.environment].ebs_oraredo_size
		522 |   type              = "gp2"
		523 |   encrypted         = true
		524 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		525 |   snapshot_id       = local.application_data.accounts[local.environment].oraredo_snapshot_id # This is used for when data is being migrated
		526 | 
		527 |   lifecycle {
		528 |     ignore_changes = [kms_key_id]
		529 |   }
		530 | 
		531 |   tags = merge(
		532 |     local.tags,
		533 |     { "Name" = "${local.application_name_short}-database-oraredo" },
		534 |   )
		535 | }

Check: CKV2_AWS_9: "Ensure that EBS are added in the backup plans of AWS Backup"
	FAILED for resource: aws_ebs_volume.share
	File: /database.tf:543-559
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ebs-are-added-in-the-backup-plans-of-aws-backup

		543 | resource "aws_ebs_volume" "share" {
		544 |   availability_zone = "eu-west-2a"
		545 |   size              = local.application_data.accounts[local.environment].ebs_share_size
		546 |   type              = "gp2"
		547 |   encrypted         = true
		548 |   kms_key_id        = data.aws_kms_key.ebs_shared.key_id
		549 |   snapshot_id       = local.application_data.accounts[local.environment].share_snapshot_id # This is used for when data is being migrated
		550 | 
		551 |   lifecycle {
		552 |     ignore_changes = [kms_key_id]
		553 |   }
		554 | 
		555 |   tags = merge(
		556 |     local.tags,
		557 |     { "Name" = "${local.application_name_short}-database-share" },
		558 |   )
		559 | }

Check: CKV2_AWS_18: "Ensure that Elastic File System (Amazon EFS) file systems are added in the backup plans of AWS Backup"
	FAILED for resource: aws_efs_file_system.cwa
	File: /efs.tf:1-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-elastic-file-system-amazon-efs-file-systems-are-added-in-the-backup-plans-of-aws-backup

		1  | resource "aws_efs_file_system" "cwa" {
		2  | 
		3  |   performance_mode = "maxIO"
		4  |   #   throughput_mode  = "Bursting"
		5  |   encrypted  = "true"
		6  |   kms_key_id = aws_kms_key.efs.arn
		7  | 
		8  |   lifecycle_policy {
		9  |     transition_to_ia = "AFTER_90_DAYS"
		10 |   }
		11 | 
		12 |   tags = merge(
		13 |     local.tags,
		14 |     { "Name" = "${upper(local.application_name_short)}-EFS" }
		15 |   )
		16 | 
		17 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.backup_lambda
	File: /lambda.tf:83-88
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		83 | resource "aws_s3_bucket_ownership_controls" "backup_lambda" {
		84 |   bucket = aws_s3_bucket.backup_lambda.id
		85 |   rule {
		86 |     object_ownership = "ObjectWriter"
		87 |   }
		88 | }

Check: CKV2_AWS_65: "Ensure access control lists for S3 buckets are disabled"
	FAILED for resource: aws_s3_bucket_ownership_controls.scripts
	File: /s3.tf:21-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-112

		21 | resource "aws_s3_bucket_ownership_controls" "scripts" {
		22 |   bucket = aws_s3_bucket.scripts.id
		23 |   rule {
		24 |     object_ownership = "ObjectWriter"
		25 |   }
		26 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.backup_lambda
	File: /lambda.tf:75-81
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		75 | resource "aws_s3_bucket" "backup_lambda" {
		76 |   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
		77 |   tags = merge(
		78 |     local.tags,
		79 |     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
		80 |   )
		81 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.scripts
	File: /s3.tf:5-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		5  | resource "aws_s3_bucket" "scripts" {
		6  |   bucket = "${local.application_name_short}-${local.environment}-scripts"
		7  |   tags = merge(
		8  |     local.tags,
		9  |     { Name = "${local.application_name_short}-${local.environment}-scripts" }
		10 |   )
		11 | }

cloudformation scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
	FAILED for resource: AWS::WAFv2::WebACL.WAFv2WebACL
	File: /wafv2.template:27-165
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running tflint in terraform/environments/contract-work-administration
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "template" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/cloudwatch.tf line 1126:
1126: data "template_file" "dashboard_no_ha" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "local" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/data.tf line 11:
  11: data "local_file" "cm_custom_metrics" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "time" in `required_providers` (terraform_required_providers)

  on terraform/environments/contract-work-administration/lambda.tf line 135:
 135: resource "time_sleep" "wait_for_provision_files" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/contract-work-administration

*****************************

Running Trivy in terraform/environments/contract-work-administration
2025-02-07T09:42:25Z	INFO	[vulndb] Need to update DB
2025-02-07T09:42:25Z	INFO	[vulndb] Downloading vulnerability DB...
2025-02-07T09:42:25Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-07T09:42:28Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-02-07T09:42:28Z	INFO	[vuln] Vulnerability scanning is enabled
2025-02-07T09:42:28Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-02-07T09:42:28Z	INFO	[misconfig] Need to update the built-in checks
2025-02-07T09:42:28Z	INFO	[misconfig] Downloading the built-in checks...
162.46 KiB / 162.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-02-07T09:42:29Z	INFO	[secret] Secret scanning is enabled
2025-02-07T09:42:29Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-02-07T09:42:29Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-02-07T09:42:30Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-02-07T09:42:30Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-02-07T09:42:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal"
2025-02-07T09:42:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal"
2025-02-07T09:42:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-07T09:42:32Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.bastion_linux.aws_autoscaling_group.bastion_linux_daily" err="1 error occurred:\n\t* invalid for-each in aws_autoscaling_group.bastion_linux_daily.dynamic.tag block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-02-07T09:42:34Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.0/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179"
2025-02-07T09:42:34Z	INFO	Number of language-specific files	num=0
2025-02-07T09:42:34Z	INFO	Detected config files	num=10

alb.tf (terraform)
==================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 alb.tf:130-153
────────────────────────────────────────
 130resource "aws_lb" "external" {
 131name                       = "${upper(local.application_name_short)}-LoadBalancer"
 132internal                   = false
 133load_balancer_type         = "application"
 134security_groups            = [aws_security_group.external_lb.id]
 135subnets                    = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id]
 136enable_deletion_protection = local.lb_enable_deletion_protection
 137idle_timeout               = local.external_lb_idle_timeout
 138enable_http2               = false
 ...   
────────────────────────────────────────


AVD-AWS-0053 (HIGH): Load balancer is exposed publicly.
════════════════════════════════════════
There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly.


See https://avd.aquasec.com/misconfig/avd-aws-0053
────────────────────────────────────────
 alb.tf:132
   via alb.tf:130-153 (aws_lb.external)
────────────────────────────────────────
 130   resource "aws_lb" "external" {
 ...   
 132 [   internal                   = false
 ...   
 153   }
────────────────────────────────────────



app_servers.tf (terraform)
==========================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:193
   via app_servers.tf:192-194 (metadata_options)
    via app_servers.tf:181-213 (aws_instance.app1)
────────────────────────────────────────
 181   resource "aws_instance" "app1" {
 ...   
 193 [     http_tokens = "optional"
 ...   
 213   }
────────────────────────────────────────


AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 app_servers.tf:228
   via app_servers.tf:227-229 (metadata_options)
    via app_servers.tf:215-248 (aws_instance.app2[0])
────────────────────────────────────────
 215   resource "aws_instance" "app2" {
 ...   
 228 [     http_tokens = "optional"
 ...   
 248   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:181-213
────────────────────────────────────────
 181resource "aws_instance" "app1" {
 182 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 183 │   availability_zone           = "eu-west-2a"
 184 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 185 │   monitoring                  = true
 186 │   vpc_security_group_ids      = [aws_security_group.app.id]
 187 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 188 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 189 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 app_servers.tf:215-248
────────────────────────────────────────
 215 ┌ resource "aws_instance" "app2" {
 216 │   count                       = contains(["development2", "testing"], local.environment) ? 0 : 1
 217 │   ami                         = local.application_data.accounts[local.environment].app_ami_id
 218 │   availability_zone           = "eu-west-2a"
 219 │   instance_type               = local.application_data.accounts[local.environment].app_instance_type
 220 │   monitoring                  = true
 221 │   vpc_security_group_ids      = [aws_security_group.app.id]
 222 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 223 └   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 ...   
────────────────────────────────────────



concurrent_manager.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 concurrent_manager.tf:171
   via concurrent_manager.tf:170-172 (metadata_options)
    via concurrent_manager.tf:159-191 (aws_instance.concurrent_manager)
────────────────────────────────────────
 159   resource "aws_instance" "concurrent_manager" {
 ...   
 171 [     http_tokens = "optional"
 ...   
 191   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 concurrent_manager.tf:159-191
────────────────────────────────────────
 159 ┌ resource "aws_instance" "concurrent_manager" {
 160 │   ami                         = local.application_data.accounts[local.environment].cm_ami_id
 161 │   availability_zone           = "eu-west-2a"
 162 │   instance_type               = local.application_data.accounts[local.environment].cm_instance_type
 163 │   monitoring                  = true
 164 │   vpc_security_group_ids      = [aws_security_group.concurrent_manager.id]
 165 │   subnet_id                   = data.aws_subnet.private_subnets_a.id
 166 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 167 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



database.tf (terraform)
=======================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 database.tf:208
   via database.tf:207-209 (metadata_options)
    via database.tf:196-225 (aws_instance.database)
────────────────────────────────────────
 196   resource "aws_instance" "database" {
 ...   
 208 [     http_tokens = "optional"
 ...   
 225   }
────────────────────────────────────────


AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 database.tf:196-225
────────────────────────────────────────
 196 ┌ resource "aws_instance" "database" {
 197 │   ami                         = local.application_data.accounts[local.environment].db_ami_id
 198 │   availability_zone           = "eu-west-2a"
 199 │   instance_type               = local.application_data.accounts[local.environment].db_instance_type
 200 │   monitoring                  = true
 201 │   vpc_security_group_ids      = [aws_security_group.database.id]
 202 │   subnet_id                   = data.aws_subnet.data_subnets_a.id
 203 │   iam_instance_profile        = aws_iam_instance_profile.cwa.id
 204 └   key_name                    = aws_key_pair.cwa.key_name
 ...   
────────────────────────────────────────



lambda.tf (terraform)
=====================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 lambda.tf:75-81
────────────────────────────────────────
  75 ┌ resource "aws_s3_bucket" "backup_lambda" {
  76 │   bucket = "${local.application_name_short}-${local.environment}-backup-lambda"
  77 │   tags = merge(
  78 │     local.tags,
  79 │     { Name = "${local.application_name_short}-${local.environment}-backup-lambda" }
  80 │   )
  81 └ }
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (HIGH: 2, CRITICAL: 0)

AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 s3.tf:5-11
────────────────────────────────────────
   5 ┌ resource "aws_s3_bucket" "scripts" {
   6 │   bucket = "${local.application_name_short}-${local.environment}-scripts"
   7 │   tags = merge(
   8 │     local.tags,
   9 │     { Name = "${local.application_name_short}-${local.environment}-scripts" }
  10 │   )
  11 └ }
────────────────────────────────────────


trivy_exitcode=1

@vc13837 vc13837 had a problem deploying to contract-work-administration-development February 7, 2025 13:45 — with GitHub Actions Failure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@vc13837