ministryofjustice / modernisation-platform-environments

Modernisation platform environments • This repository is defined and managed in Terraform
MIT License
35 stars 20 forks source link

Update_241024_10 #8451

Closed nbuckingham72 closed 5 days ago

nbuckingham72 commented 5 days ago

Enabled S3 bucket notifications in Prod, disabled in UAT (TF erroring as the resource doesn't exist), enabled ALB logging in Development.

github-actions[bot] commented 5 days ago

Trivy Scan Failed

Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/ppud ***************************** Running Trivy in terraform/environments/ppud 2024-10-24T13:02:51Z INFO [vulndb] Need to update DB 2024-10-24T13:02:51Z INFO [vulndb] Downloading vulnerability DB... 2024-10-24T13:02:51Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-24T13:02:54Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-24T13:02:54Z INFO [vuln] Vulnerability scanning is enabled 2024-10-24T13:02:54Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-24T13:02:54Z INFO [misconfig] Need to update the built-in checks 2024-10-24T13:02:54Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-24T13:02:54Z INFO [secret] Secret scanning is enabled 2024-10-24T13:02:54Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-24T13:02:54Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-24T13:02:55Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-24T13:02:55Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-behavior-detected" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-out-of-date" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-update-failed" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-scan-failed" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-signature-update-failed" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-state-detected" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.linux_instance_details" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.windows_instance_details" value="cty.NilVal" 2024-10-24T13:02:56Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:899-906" 2024-10-24T13:02:56Z INFO Number of language-specific files num=0 2024-10-24T13:02:56Z INFO Detected config files num=6 alb_external.tf (terraform) =========================== Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── alb_external.tf:86 via alb_external.tf:84-97 (aws_lb.WAM-ALB) ──────────────────────────────────────── 84 resource "aws_lb" "WAM-ALB" { .. 86 [ internal = false .. 97 } ──────────────────────────────────────── s3.tf (terraform) ================= Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Bucket does not have encryption enabled ════════════════════════════════════════ S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. See https://avd.aquasec.com/misconfig/avd-aws-0088 ──────────────────────────────────────── s3.tf:114-126 ──────────────────────────────────────── 114 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 115 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 116 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 117 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 119 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 120 │ tags = merge( 121 │ local.tags, 122 └ { ... ──────────────────────────────────────── HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── s3.tf:114-126 ──────────────────────────────────────── 114 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 115 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 116 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 117 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 119 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 120 │ tags = merge( 121 │ local.tags, 122 └ { ... ──────────────────────────────────────── trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output ```hcl ***************************** Checkov will check the following folders: terraform/environments/ppud ***************************** Running Checkov in terraform/environments/ppud Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 terraform scan results: Passed checks: 1013, Failed checks: 31, Skipped checks: 127 Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.WAM-ALB File: /alb_external.tf:84-97 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 84 | resource "aws_lb" "WAM-ALB" { 85 | name = local.application_data.accounts[local.environment].WAM_ALB 86 | internal = false 87 | load_balancer_type = "application" 88 | security_groups = [aws_security_group.WAM-ALB.id] 89 | subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id] 90 | 91 | enable_deletion_protection = true 92 | drop_invalid_header_fields = true 93 | 94 | tags = { 95 | Name = "${var.networking[0].business-unit}-${local.environment}" 96 | } 97 | } Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol" FAILED for resource: aws_lb_target_group.WAM-Target-Group File: /alb_external.tf:141-161 141 | resource "aws_lb_target_group" "WAM-Target-Group" { 142 | name = "WAM" 143 | port = 80 144 | protocol = "HTTP" 145 | vpc_id = data.aws_vpc.shared.id 146 | 147 | health_check { 148 | enabled = true 149 | path = "/" 150 | interval = 30 151 | protocol = "HTTP" 152 | port = 80 153 | timeout = 5 154 | healthy_threshold = 5 155 | unhealthy_threshold = 2 156 | matcher = "302" 157 | } 158 | tags = { 159 | Name = "${var.networking[0].business-unit}-${local.environment}" 160 | } 161 | } Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.PPUD-internal-ALB File: /alb_internal.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 5 | resource "aws_lb" "PPUD-internal-ALB" { 6 | count = local.is-development == false ? 1 : 0 7 | name = local.application_data.accounts[local.environment].PPUD_Internal_ALB 8 | internal = true 9 | idle_timeout = 240 10 | load_balancer_type = "application" 11 | security_groups = [aws_security_group.PPUD-ALB.id] 12 | subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] 13 | 14 | enable_deletion_protection = true 15 | drop_invalid_header_fields = true 16 | 17 | tags = { 18 | Name = "${var.networking[0].business-unit}-${local.environment}" 19 | } 20 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_dev File: /certificate_mgmt.tf:16-41 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 16 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_dev" { 17 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 18 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 19 | count = local.is-development == true ? 1 : 0 20 | filename = "${path.module}/lambda_scripts/certificate_expiry_dev.zip" 21 | function_name = "certificate_expiry_dev" 22 | role = aws_iam_role.lambda_role_certificate_expiry_dev[0].arn 23 | handler = "certificate_expiry_dev.lambda_handler" 24 | runtime = "python3.8" 25 | timeout = 30 26 | reserved_concurrent_executions = 5 27 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 28 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_dev] 29 | environment { 30 | variables = { 31 | EXPIRY_DAYS = "45", 32 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:075585660276:ec2_cloudwatch_alarms" 33 | } 34 | } 35 | dead_letter_config { 36 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 37 | } 38 | tracing_config { 39 | mode = "Active" 40 | } 41 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_uat File: /certificate_mgmt.tf:94-119 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 94 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_uat" { 95 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 96 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 97 | count = local.is-preproduction == true ? 1 : 0 98 | filename = "${path.module}/lambda_scripts/certificate_expiry_uat.zip" 99 | function_name = "certificate_expiry_uat" 100 | role = aws_iam_role.lambda_role_certificate_expiry_uat[0].arn 101 | handler = "certificate_expiry_uat.lambda_handler" 102 | runtime = "python3.8" 103 | timeout = 30 104 | reserved_concurrent_executions = 5 105 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 106 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_uat] 107 | environment { 108 | variables = { 109 | EXPIRY_DAYS = "45", 110 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:172753231260:ppud-uat-cw-alerts" 111 | } 112 | } 113 | dead_letter_config { 114 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 115 | } 116 | tracing_config { 117 | mode = "Active" 118 | } 119 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_prod File: /certificate_mgmt.tf:172-197 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 172 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_prod" { 173 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 174 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 175 | count = local.is-production == true ? 1 : 0 176 | filename = "${path.module}/lambda_scripts/certificate_expiry_prod.zip" 177 | function_name = "certificate_expiry_prod" 178 | role = aws_iam_role.lambda_role_certificate_expiry_prod[0].arn 179 | handler = "certificate_expiry_prod.lambda_handler" 180 | runtime = "python3.8" 181 | timeout = 30 182 | reserved_concurrent_executions = 5 183 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 184 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_prod] 185 | environment { 186 | variables = { 187 | EXPIRY_DAYS = "45", 188 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:817985104434:ppud-prod-cw-alerts" 189 | } 190 | } 191 | dead_letter_config { 192 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 193 | } 194 | tracing_config { 195 | mode = "Active" 196 | } 197 | } Check: CKV_AWS_123: "Ensure that VPC Endpoint Service is configured for Manual Acceptance" FAILED for resource: aws_vpc_endpoint_service.HomeOffice File: /endpointservice.tf:1-8 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-vpc-endpoint-service-is-configured-for-manual-acceptance 1 | resource "aws_vpc_endpoint_service" "HomeOffice" { 2 | count = local.is-production == true ? 1 : 0 3 | acceptance_required = false 4 | network_load_balancer_arns = [aws_lb.ppud_internal_nlb[0].arn] 5 | tags = { 6 | Name = "HomeOffice-Endpoint" 7 | } 8 | } Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled" FAILED for resource: aws_lb.ppud_internal_nlb File: /endpointservice.tf:16-33 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled 16 | resource "aws_lb" "ppud_internal_nlb" { 17 | count = local.is-production == true ? 1 : 0 18 | name = "ppud-internal-nlb" 19 | internal = true 20 | load_balancer_type = "network" 21 | subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] 22 | security_groups = [aws_security_group.PPUD-ALB.id] 23 | enable_deletion_protection = true 24 | #access_logs { 25 | # bucket = aws_s3_bucket.moj-log-files-prod[0].id 26 | # prefix = "alb-logs" 27 | # enabled = true 28 | #} 29 | 30 | tags = { 31 | Name = "${var.networking[0].business-unit}-${local.environment}" 32 | } 33 | } Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.ppud_internal_nlb File: /endpointservice.tf:16-33 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 16 | resource "aws_lb" "ppud_internal_nlb" { 17 | count = local.is-production == true ? 1 : 0 18 | name = "ppud-internal-nlb" 19 | internal = true 20 | load_balancer_type = "network" 21 | subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] 22 | security_groups = [aws_security_group.PPUD-ALB.id] 23 | enable_deletion_protection = true 24 | #access_logs { 25 | # bucket = aws_s3_bucket.moj-log-files-prod[0].id 26 | # prefix = "alb-logs" 27 | # enabled = true 28 | #} 29 | 30 | tags = { 31 | Name = "${var.networking[0].business-unit}-${local.environment}" 32 | } 33 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.sprinkler_ebs_encryption_policy_doc File: /kms.tf:11-53 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 11 | data "aws_iam_policy_document" "sprinkler_ebs_encryption_policy_doc" { 12 | # checkov:skip=CKV_AWS_356: "Required to allow root user full management access to key" 13 | # Allow root users full management access to key 14 | statement { 15 | effect = "Allow" 16 | actions = [ 17 | "kms:*" 18 | ] 19 | 20 | resources = ["*"] # Represents the key to which this policy is attached 21 | 22 | # AWS should add the AWS account by default but adding here for visibility 23 | principals { 24 | type = "AWS" 25 | identifiers = [data.aws_caller_identity.current.account_id] # 26 | } 27 | } 28 | 29 | # Allow all mod platform account to use this key so that they can launch ec2 instances based on AMIs backed by encrypted snapshots 30 | statement { 31 | effect = "Allow" 32 | actions = [ 33 | "kms:DescribeKey", 34 | "kms:ReEncrypt*", 35 | "kms:CreateGrant", 36 | "kms:Decrypt" 37 | ] 38 | 39 | resources = ["*"] 40 | principals { 41 | type = "AWS" 42 | identifiers = ["*"] 43 | } 44 | 45 | condition { 46 | test = "ForAnyValue:StringLike" 47 | variable = "aws:PrincipalOrgPaths" 48 | values = [ 49 | "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*" 50 | ] 51 | } 52 | } 53 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.sprinkler_ebs_encryption_policy_doc File: /kms.tf:11-53 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 11 | data "aws_iam_policy_document" "sprinkler_ebs_encryption_policy_doc" { 12 | # checkov:skip=CKV_AWS_356: "Required to allow root user full management access to key" 13 | # Allow root users full management access to key 14 | statement { 15 | effect = "Allow" 16 | actions = [ 17 | "kms:*" 18 | ] 19 | 20 | resources = ["*"] # Represents the key to which this policy is attached 21 | 22 | # AWS should add the AWS account by default but adding here for visibility 23 | principals { 24 | type = "AWS" 25 | identifiers = [data.aws_caller_identity.current.account_id] # 26 | } 27 | } 28 | 29 | # Allow all mod platform account to use this key so that they can launch ec2 instances based on AMIs backed by encrypted snapshots 30 | statement { 31 | effect = "Allow" 32 | actions = [ 33 | "kms:DescribeKey", 34 | "kms:ReEncrypt*", 35 | "kms:CreateGrant", 36 | "kms:Decrypt" 37 | ] 38 | 39 | resources = ["*"] 40 | principals { 41 | type = "AWS" 42 | identifiers = ["*"] 43 | } 44 | 45 | condition { 46 | test = "ForAnyValue:StringLike" 47 | variable = "aws:PrincipalOrgPaths" 48 | values = [ 49 | "${data.aws_organizations_organization.root_account.id}/*/${local.environment_management.modernisation_platform_organisation_unit_id}/*" 50 | ] 51 | } 52 | } 53 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_stop File: /lambda.tf:23-40 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 23 | resource "aws_lambda_function" "terraform_lambda_func_stop" { 24 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 25 | count = local.is-production == true ? 1 : 0 26 | filename = "${path.module}/stop-instance/StopEC2Instances.zip" 27 | function_name = "stop_Lambda_Function" 28 | role = aws_iam_role.lambda_role[0].arn 29 | handler = "StopEC2Instances.lambda_handler" 30 | runtime = "python3.9" 31 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role] 32 | reserved_concurrent_executions = 5 33 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 34 | dead_letter_config { 35 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 36 | } 37 | tracing_config { 38 | mode = "Active" 39 | } 40 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_start File: /lambda.tf:42-59 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 42 | resource "aws_lambda_function" "terraform_lambda_func_start" { 43 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 44 | count = local.is-production == true ? 1 : 0 45 | filename = "${path.module}/start-instance/StartEC2Instances.zip" 46 | function_name = "start_Lambda_Function" 47 | role = aws_iam_role.lambda_role[0].arn 48 | handler = "StartEC2Instances.lambda_handler" 49 | runtime = "python3.9" 50 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role] 51 | reserved_concurrent_executions = 5 52 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 53 | dead_letter_config { 54 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 55 | } 56 | tracing_config { 57 | mode = "Active" 58 | } 59 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_disable_cpu_alarm File: /lambda.tf:193-210 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 193 | resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" { 194 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 195 | count = local.is-production == true ? 1 : 0 196 | filename = "${path.module}/lambda_scripts/disable_cpu_alarm.zip" 197 | function_name = "disable_cpu_alarm" 198 | role = aws_iam_role.lambda_role_alarm_suppression[0].arn 199 | handler = "disable_cpu_alarm.lambda_handler" 200 | runtime = "python3.12" 201 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression] 202 | reserved_concurrent_executions = 5 203 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 204 | dead_letter_config { 205 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 206 | } 207 | tracing_config { 208 | mode = "Active" 209 | } 210 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_enable_cpu_alarm File: /lambda.tf:214-231 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 214 | resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" { 215 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 216 | count = local.is-production == true ? 1 : 0 217 | filename = "${path.module}/lambda_scripts/enable_cpu_alarm.zip" 218 | function_name = "enable_cpu_alarm" 219 | role = aws_iam_role.lambda_role_alarm_suppression[0].arn 220 | handler = "enable_cpu_alarm.lambda_handler" 221 | runtime = "python3.12" 222 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression] 223 | reserved_concurrent_executions = 5 224 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 225 | dead_letter_config { 226 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 227 | } 228 | tracing_config { 229 | mode = "Active" 230 | } 231 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev File: /lambda.tf:246-264 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 246 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" { 247 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 248 | count = local.is-development == true ? 1 : 0 249 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip" 250 | function_name = "terminate_cpu_process" 251 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn 252 | handler = "terminate_cpu_process_dev.lambda_handler" 253 | runtime = "python3.12" 254 | timeout = 300 255 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] 256 | reserved_concurrent_executions = 5 257 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 258 | dead_letter_config { 259 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 260 | } 261 | tracing_config { 262 | mode = "Active" 263 | } 264 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_uat File: /lambda.tf:288-306 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 288 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" { 289 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 290 | count = local.is-preproduction == true ? 1 : 0 291 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip" 292 | function_name = "terminate_cpu_process" 293 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn 294 | handler = "terminate_cpu_process_uat.lambda_handler" 295 | runtime = "python3.12" 296 | timeout = 300 297 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat] 298 | reserved_concurrent_executions = 5 299 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 300 | dead_letter_config { 301 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 302 | } 303 | tracing_config { 304 | mode = "Active" 305 | } 306 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_prod File: /lambda.tf:330-348 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 330 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" { 331 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 332 | count = local.is-production == true ? 1 : 0 333 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip" 334 | function_name = "terminate_cpu_process" 335 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn 336 | handler = "terminate_cpu_process_prod.lambda_handler" 337 | runtime = "python3.12" 338 | timeout = 300 339 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod] 340 | reserved_concurrent_executions = 5 341 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 342 | dead_letter_config { 343 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 344 | } 345 | tracing_config { 346 | mode = "Active" 347 | } 348 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_dev File: /lambda.tf:372-390 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 372 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" { 373 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 374 | count = local.is-development == true ? 1 : 0 375 | filename = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip" 376 | function_name = "send_cpu_notification" 377 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn 378 | handler = "send_cpu_notification_dev.lambda_handler" 379 | runtime = "python3.12" 380 | timeout = 300 381 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] 382 | reserved_concurrent_executions = 5 383 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 384 | dead_letter_config { 385 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 386 | } 387 | tracing_config { 388 | mode = "Active" 389 | } 390 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_uat File: /lambda.tf:414-432 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 414 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" { 415 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 416 | count = local.is-preproduction == true ? 1 : 0 417 | filename = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip" 418 | function_name = "send_cpu_notification" 419 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn 420 | handler = "send_cpu_notification_uat.lambda_handler" 421 | runtime = "python3.12" 422 | timeout = 300 423 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat] 424 | reserved_concurrent_executions = 5 425 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 426 | dead_letter_config { 427 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 428 | } 429 | tracing_config { 430 | mode = "Active" 431 | } 432 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_prod File: /lambda.tf:456-474 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 456 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" { 457 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 458 | count = local.is-production == true ? 1 : 0 459 | filename = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip" 460 | function_name = "send_cpu_notification" 461 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn 462 | handler = "send_cpu_notification_prod.lambda_handler" 463 | runtime = "python3.12" 464 | timeout = 300 465 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod] 466 | reserved_concurrent_executions = 5 467 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 468 | dead_letter_config { 469 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 470 | } 471 | tracing_config { 472 | mode = "Active" 473 | } 474 | } Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads" FAILED for resource: aws_s3_bucket_lifecycle_configuration.MoJ-Health-Check-Reports File: /s3.tf:135-158 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300 135 | resource "aws_s3_bucket_lifecycle_configuration" "MoJ-Health-Check-Reports" { 136 | bucket = aws_s3_bucket.MoJ-Health-Check-Reports.id 137 | rule { 138 | id = "Remove-Old-SSM-Health-Check-Reports" 139 | status = "Enabled" 140 | abort_incomplete_multipart_upload { 141 | days_after_initiation = 7 142 | } 143 | 144 | filter { 145 | prefix = "ssm_output/" 146 | } 147 | 148 | noncurrent_version_transition { 149 | noncurrent_days = 183 150 | storage_class = "STANDARD_IA" 151 | } 152 | 153 | transition { 154 | days = 183 155 | storage_class = "STANDARD_IA" 156 | } 157 | } 158 | } Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.secretdirectoryservice File: /secrets.tf:14-17 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 14 | resource "aws_secretsmanager_secret" "secretdirectoryservice" { 15 | name = "AWSADPASS" 16 | recovery_window_in_days = 0 17 | } Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.secretdirectoryservice File: /secrets.tf:14-17 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 14 | resource "aws_secretsmanager_secret" "secretdirectoryservice" { 15 | name = "AWSADPASS" 16 | recovery_window_in_days = 0 17 | } Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled" FAILED for resource: aws_s3_bucket.moj-log-files-prod File: /s3.tf:362-373 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62 362 | resource "aws_s3_bucket" "moj-log-files-prod" { 363 | # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 364 | # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 365 | count = local.is-production == true ? 1 : 0 366 | bucket = "moj-log-files-prod" 367 | tags = merge( 368 | local.tags, 369 | { 370 | Name = "${local.application_name}-moj-log-files-prod" 371 | } 372 | ) 373 | } Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled" FAILED for resource: aws_s3_bucket.moj-log-files-uat File: /s3.tf:535-546 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62 535 | resource "aws_s3_bucket" "moj-log-files-uat" { 536 | # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 537 | # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 538 | count = local.is-preproduction == true ? 1 : 0 539 | bucket = "moj-log-files-uat" 540 | tags = merge( 541 | local.tags, 542 | { 543 | Name = "${local.application_name}-moj-log-files-uat" 544 | } 545 | ) 546 | } Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled" FAILED for resource: aws_s3_bucket.MoJ-Health-Check-Reports File: /s3.tf:114-126 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging 114 | resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 115 | # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 116 | # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 117 | # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 118 | # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 119 | bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 120 | tags = merge( 121 | local.tags, 122 | { 123 | Name = "${local.application_name}-moj-health-check-reports" 124 | } 125 | ) 126 | } Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled" FAILED for resource: aws_s3_bucket.moj-log-files-uat File: /s3.tf:535-546 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging 535 | resource "aws_s3_bucket" "moj-log-files-uat" { 536 | # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 537 | # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 538 | count = local.is-preproduction == true ? 1 : 0 539 | bucket = "moj-log-files-uat" 540 | tags = merge( 541 | local.tags, 542 | { 543 | Name = "${local.application_name}-moj-log-files-uat" 544 | } 545 | ) 546 | } Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled" FAILED for resource: aws_s3_bucket.moj-log-files-dev File: /s3.tf:707-720 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging 707 | resource "aws_s3_bucket" "moj-log-files-dev" { 708 | # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 709 | # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 710 | # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 711 | # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 712 | count = local.is-development == true ? 1 : 0 713 | bucket = "moj-log-files-dev" 714 | tags = merge( 715 | local.tags, 716 | { 717 | Name = "${local.application_name}-moj-log-files-dev" 718 | } 719 | ) 720 | } Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF" FAILED for resource: aws_lb.PPUD-ALB File: /alb_external.tf:4-23 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf 4 | resource "aws_lb" "PPUD-ALB" { 5 | count = local.is-development == true ? 1 : 0 6 | name = "PPUD-ALB" 7 | internal = false 8 | load_balancer_type = "application" 9 | security_groups = [aws_security_group.PPUD-ALB.id] 10 | subnets = [data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id] 11 | access_logs { 12 | bucket = aws_s3_bucket.moj-log-files-dev[0].id 13 | prefix = "alb-logs" 14 | enabled = true 15 | } 16 | 17 | enable_deletion_protection = true 18 | drop_invalid_header_fields = true 19 | 20 | tags = { 21 | Name = "${var.networking[0].business-unit}-${local.environment}" 22 | } 23 | } Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF" FAILED for resource: aws_lb.WAM-ALB File: /alb_external.tf:84-97 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf 84 | resource "aws_lb" "WAM-ALB" { 85 | name = local.application_data.accounts[local.environment].WAM_ALB 86 | internal = false 87 | load_balancer_type = "application" 88 | security_groups = [aws_security_group.WAM-ALB.id] 89 | subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id] 90 | 91 | enable_deletion_protection = true 92 | drop_invalid_header_fields = true 93 | 94 | tags = { 95 | Name = "${var.networking[0].business-unit}-${local.environment}" 96 | } 97 | } checkov_exitcode=1 ```
#### `CTFLint Scan` Failed
Show Output ```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/ppud ***************************** Running tflint in terraform/environments/ppud Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers) on terraform/environments/ppud/lambda.tf line 478: 478: data "archive_file" "zip_the_send_cpu_notification_code_prod" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/ppud/secrets.tf line 4: 4: resource "random_password" "password" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ```
#### `Trivy Scan` Failed
Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/ppud ***************************** Running Trivy in terraform/environments/ppud 2024-10-24T13:02:51Z INFO [vulndb] Need to update DB 2024-10-24T13:02:51Z INFO [vulndb] Downloading vulnerability DB... 2024-10-24T13:02:51Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-24T13:02:54Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-24T13:02:54Z INFO [vuln] Vulnerability scanning is enabled 2024-10-24T13:02:54Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-24T13:02:54Z INFO [misconfig] Need to update the built-in checks 2024-10-24T13:02:54Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-24T13:02:54Z INFO [secret] Secret scanning is enabled 2024-10-24T13:02:54Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-24T13:02:54Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-24T13:02:55Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-24T13:02:55Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-behavior-detected" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-out-of-date" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-update-failed" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-scan-failed" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-signature-update-failed" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-state-detected" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.linux_instance_details" value="cty.NilVal" 2024-10-24T13:02:56Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.windows_instance_details" value="cty.NilVal" 2024-10-24T13:02:56Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:899-906" 2024-10-24T13:02:56Z INFO Number of language-specific files num=0 2024-10-24T13:02:56Z INFO Detected config files num=6 alb_external.tf (terraform) =========================== Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── alb_external.tf:86 via alb_external.tf:84-97 (aws_lb.WAM-ALB) ──────────────────────────────────────── 84 resource "aws_lb" "WAM-ALB" { .. 86 [ internal = false .. 97 } ──────────────────────────────────────── s3.tf (terraform) ================= Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Bucket does not have encryption enabled ════════════════════════════════════════ S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. See https://avd.aquasec.com/misconfig/avd-aws-0088 ──────────────────────────────────────── s3.tf:114-126 ──────────────────────────────────────── 114 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 115 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 116 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 117 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 119 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 120 │ tags = merge( 121 │ local.tags, 122 └ { ... ──────────────────────────────────────── HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── s3.tf:114-126 ──────────────────────────────────────── 114 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 115 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 116 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 117 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 119 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 120 │ tags = merge( 121 │ local.tags, 122 └ { ... ──────────────────────────────────────── trivy_exitcode=1 ```