ministryofjustice / modernisation-platform-environments

Modernisation platform environments • This repository is defined and managed in Terraform
MIT License
35 stars 20 forks source link

Update 251024 2 #8456

Closed nbuckingham72 closed 4 days ago

nbuckingham72 commented 4 days ago

Trivy scan exclusions added for logging on S3 buckets, KMS permissions, WAF on ALBs. Additional logging enabled for Dev & UAT ALB.

github-actions[bot] commented 4 days ago

Trivy Scan Failed

Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/ppud ***************************** Running Trivy in terraform/environments/ppud 2024-10-25T06:54:07Z INFO [vulndb] Need to update DB 2024-10-25T06:54:07Z INFO [vulndb] Downloading vulnerability DB... 2024-10-25T06:54:07Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-25T06:54:09Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-25T06:54:09Z INFO [vuln] Vulnerability scanning is enabled 2024-10-25T06:54:09Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-25T06:54:09Z INFO [misconfig] Need to update the built-in checks 2024-10-25T06:54:09Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-25T06:54:10Z INFO [secret] Secret scanning is enabled 2024-10-25T06:54:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-25T06:54:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-25T06:54:11Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-25T06:54:11Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-behavior-detected" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-out-of-date" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-update-failed" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-scan-failed" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-signature-update-failed" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-state-detected" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.linux_instance_details" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.windows_instance_details" value="cty.NilVal" 2024-10-25T06:54:12Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:899-906" 2024-10-25T06:54:12Z INFO Number of language-specific files num=0 2024-10-25T06:54:12Z INFO Detected config files num=6 alb_external.tf (terraform) =========================== Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── alb_external.tf:88 via alb_external.tf:85-104 (aws_lb.WAM-ALB) ──────────────────────────────────────── 85 resource "aws_lb" "WAM-ALB" { .. 88 [ internal = false ... 104 } ──────────────────────────────────────── s3.tf (terraform) ================= Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Bucket does not have encryption enabled ════════════════════════════════════════ S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. See https://avd.aquasec.com/misconfig/avd-aws-0088 ──────────────────────────────────────── s3.tf:115-128 ──────────────────────────────────────── 115 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 116 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 117 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 119 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 120 │ # checkov:skip=CKV_AWS_18: "S3 bucket logging is not required" 121 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 122 │ tags = merge( 123 └ local.tags, ... ──────────────────────────────────────── HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── s3.tf:115-128 ──────────────────────────────────────── 115 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 116 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 117 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 119 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 120 │ # checkov:skip=CKV_AWS_18: "S3 bucket logging is not required" 121 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 122 │ tags = merge( 123 └ local.tags, ... ──────────────────────────────────────── trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output ```hcl ***************************** Checkov will check the following folders: terraform/environments/ppud ***************************** Running Checkov in terraform/environments/ppud Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 terraform scan results: Passed checks: 1010, Failed checks: 24, Skipped checks: 137 Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.WAM-ALB File: /alb_external.tf:85-104 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 85 | resource "aws_lb" "WAM-ALB" { 86 | # checkov:skip=CKV_AWS_28: "ALB is already protected by WAF" 87 | name = local.application_data.accounts[local.environment].WAM_ALB 88 | internal = false 89 | load_balancer_type = "application" 90 | security_groups = [aws_security_group.WAM-ALB.id] 91 | subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id] 92 | # access_logs { 93 | # bucket = aws_s3_bucket.moj-log-files-dev[0].id 94 | # prefix = "alb-logs" 95 | # enabled = true 96 | # } 97 | 98 | enable_deletion_protection = true 99 | drop_invalid_header_fields = true 100 | 101 | tags = { 102 | Name = "${var.networking[0].business-unit}-${local.environment}" 103 | } 104 | } Check: CKV_AWS_378: "Ensure AWS Load Balancer doesn't use HTTP protocol" FAILED for resource: aws_lb_target_group.WAM-Target-Group File: /alb_external.tf:148-168 148 | resource "aws_lb_target_group" "WAM-Target-Group" { 149 | name = "WAM" 150 | port = 80 151 | protocol = "HTTP" 152 | vpc_id = data.aws_vpc.shared.id 153 | 154 | health_check { 155 | enabled = true 156 | path = "/" 157 | interval = 30 158 | protocol = "HTTP" 159 | port = 80 160 | timeout = 5 161 | healthy_threshold = 5 162 | unhealthy_threshold = 2 163 | matcher = "302" 164 | } 165 | tags = { 166 | Name = "${var.networking[0].business-unit}-${local.environment}" 167 | } 168 | } Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.PPUD-internal-ALB File: /alb_internal.tf:5-25 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 5 | resource "aws_lb" "PPUD-internal-ALB" { 6 | count = local.is-development == false ? 1 : 0 7 | name = local.application_data.accounts[local.environment].PPUD_Internal_ALB 8 | internal = true 9 | idle_timeout = 240 10 | load_balancer_type = "application" 11 | security_groups = [aws_security_group.PPUD-ALB.id] 12 | subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] 13 | # access_logs { 14 | # bucket = aws_s3_bucket.moj-log-files-uat[0].id 15 | # prefix = "alb-logs" 16 | # enabled = true 17 | # } 18 | 19 | enable_deletion_protection = true 20 | drop_invalid_header_fields = true 21 | 22 | tags = { 23 | Name = "${var.networking[0].business-unit}-${local.environment}" 24 | } 25 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_dev File: /certificate_mgmt.tf:16-41 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 16 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_dev" { 17 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 18 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 19 | count = local.is-development == true ? 1 : 0 20 | filename = "${path.module}/lambda_scripts/certificate_expiry_dev.zip" 21 | function_name = "certificate_expiry_dev" 22 | role = aws_iam_role.lambda_role_certificate_expiry_dev[0].arn 23 | handler = "certificate_expiry_dev.lambda_handler" 24 | runtime = "python3.8" 25 | timeout = 30 26 | reserved_concurrent_executions = 5 27 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 28 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_dev] 29 | environment { 30 | variables = { 31 | EXPIRY_DAYS = "45", 32 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:075585660276:ec2_cloudwatch_alarms" 33 | } 34 | } 35 | dead_letter_config { 36 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 37 | } 38 | tracing_config { 39 | mode = "Active" 40 | } 41 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_uat File: /certificate_mgmt.tf:94-119 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 94 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_uat" { 95 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 96 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 97 | count = local.is-preproduction == true ? 1 : 0 98 | filename = "${path.module}/lambda_scripts/certificate_expiry_uat.zip" 99 | function_name = "certificate_expiry_uat" 100 | role = aws_iam_role.lambda_role_certificate_expiry_uat[0].arn 101 | handler = "certificate_expiry_uat.lambda_handler" 102 | runtime = "python3.8" 103 | timeout = 30 104 | reserved_concurrent_executions = 5 105 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 106 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_uat] 107 | environment { 108 | variables = { 109 | EXPIRY_DAYS = "45", 110 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:172753231260:ppud-uat-cw-alerts" 111 | } 112 | } 113 | dead_letter_config { 114 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 115 | } 116 | tracing_config { 117 | mode = "Active" 118 | } 119 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_certificate_expiry_prod File: /certificate_mgmt.tf:172-197 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 172 | resource "aws_lambda_function" "terraform_lambda_func_certificate_expiry_prod" { 173 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 174 | # checkov:skip=CKV_AWS_173: "PPUD Lambda environmental variables do not contain sensitive information" 175 | count = local.is-production == true ? 1 : 0 176 | filename = "${path.module}/lambda_scripts/certificate_expiry_prod.zip" 177 | function_name = "certificate_expiry_prod" 178 | role = aws_iam_role.lambda_role_certificate_expiry_prod[0].arn 179 | handler = "certificate_expiry_prod.lambda_handler" 180 | runtime = "python3.8" 181 | timeout = 30 182 | reserved_concurrent_executions = 5 183 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 184 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_certificate_expiry_to_lambda_role_certificate_expiry_prod] 185 | environment { 186 | variables = { 187 | EXPIRY_DAYS = "45", 188 | SNS_TOPIC_ARN = "arn:aws:sns:eu-west-2:817985104434:ppud-prod-cw-alerts" 189 | } 190 | } 191 | dead_letter_config { 192 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 193 | } 194 | tracing_config { 195 | mode = "Active" 196 | } 197 | } Check: CKV_AWS_123: "Ensure that VPC Endpoint Service is configured for Manual Acceptance" FAILED for resource: aws_vpc_endpoint_service.HomeOffice File: /endpointservice.tf:1-8 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-vpc-endpoint-service-is-configured-for-manual-acceptance 1 | resource "aws_vpc_endpoint_service" "HomeOffice" { 2 | count = local.is-production == true ? 1 : 0 3 | acceptance_required = false 4 | network_load_balancer_arns = [aws_lb.ppud_internal_nlb[0].arn] 5 | tags = { 6 | Name = "HomeOffice-Endpoint" 7 | } 8 | } Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled" FAILED for resource: aws_lb.ppud_internal_nlb File: /endpointservice.tf:16-33 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled 16 | resource "aws_lb" "ppud_internal_nlb" { 17 | count = local.is-production == true ? 1 : 0 18 | name = "ppud-internal-nlb" 19 | internal = true 20 | load_balancer_type = "network" 21 | subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] 22 | security_groups = [aws_security_group.PPUD-ALB.id] 23 | enable_deletion_protection = true 24 | #access_logs { 25 | # bucket = aws_s3_bucket.moj-log-files-prod[0].id 26 | # prefix = "alb-logs" 27 | # enabled = true 28 | #} 29 | 30 | tags = { 31 | Name = "${var.networking[0].business-unit}-${local.environment}" 32 | } 33 | } Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled" FAILED for resource: aws_lb.ppud_internal_nlb File: /endpointservice.tf:16-33 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22 16 | resource "aws_lb" "ppud_internal_nlb" { 17 | count = local.is-production == true ? 1 : 0 18 | name = "ppud-internal-nlb" 19 | internal = true 20 | load_balancer_type = "network" 21 | subnets = [data.aws_subnet.private_subnets_b.id, data.aws_subnet.private_subnets_c.id] 22 | security_groups = [aws_security_group.PPUD-ALB.id] 23 | enable_deletion_protection = true 24 | #access_logs { 25 | # bucket = aws_s3_bucket.moj-log-files-prod[0].id 26 | # prefix = "alb-logs" 27 | # enabled = true 28 | #} 29 | 30 | tags = { 31 | Name = "${var.networking[0].business-unit}-${local.environment}" 32 | } 33 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_stop File: /lambda.tf:23-40 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 23 | resource "aws_lambda_function" "terraform_lambda_func_stop" { 24 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 25 | count = local.is-production == true ? 1 : 0 26 | filename = "${path.module}/stop-instance/StopEC2Instances.zip" 27 | function_name = "stop_Lambda_Function" 28 | role = aws_iam_role.lambda_role[0].arn 29 | handler = "StopEC2Instances.lambda_handler" 30 | runtime = "python3.9" 31 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role] 32 | reserved_concurrent_executions = 5 33 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 34 | dead_letter_config { 35 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 36 | } 37 | tracing_config { 38 | mode = "Active" 39 | } 40 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_start File: /lambda.tf:42-59 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 42 | resource "aws_lambda_function" "terraform_lambda_func_start" { 43 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 44 | count = local.is-production == true ? 1 : 0 45 | filename = "${path.module}/start-instance/StartEC2Instances.zip" 46 | function_name = "start_Lambda_Function" 47 | role = aws_iam_role.lambda_role[0].arn 48 | handler = "StartEC2Instances.lambda_handler" 49 | runtime = "python3.9" 50 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_to_lambda_role] 51 | reserved_concurrent_executions = 5 52 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 53 | dead_letter_config { 54 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 55 | } 56 | tracing_config { 57 | mode = "Active" 58 | } 59 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_disable_cpu_alarm File: /lambda.tf:193-210 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 193 | resource "aws_lambda_function" "terraform_lambda_disable_cpu_alarm" { 194 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 195 | count = local.is-production == true ? 1 : 0 196 | filename = "${path.module}/lambda_scripts/disable_cpu_alarm.zip" 197 | function_name = "disable_cpu_alarm" 198 | role = aws_iam_role.lambda_role_alarm_suppression[0].arn 199 | handler = "disable_cpu_alarm.lambda_handler" 200 | runtime = "python3.12" 201 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression] 202 | reserved_concurrent_executions = 5 203 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 204 | dead_letter_config { 205 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 206 | } 207 | tracing_config { 208 | mode = "Active" 209 | } 210 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_enable_cpu_alarm File: /lambda.tf:214-231 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 214 | resource "aws_lambda_function" "terraform_lambda_enable_cpu_alarm" { 215 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 216 | count = local.is-production == true ? 1 : 0 217 | filename = "${path.module}/lambda_scripts/enable_cpu_alarm.zip" 218 | function_name = "enable_cpu_alarm" 219 | role = aws_iam_role.lambda_role_alarm_suppression[0].arn 220 | handler = "enable_cpu_alarm.lambda_handler" 221 | runtime = "python3.12" 222 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_alarm_suppression_to_lambda_role_alarm_suppression] 223 | reserved_concurrent_executions = 5 224 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 225 | dead_letter_config { 226 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 227 | } 228 | tracing_config { 229 | mode = "Active" 230 | } 231 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_dev File: /lambda.tf:246-264 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 246 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_dev" { 247 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 248 | count = local.is-development == true ? 1 : 0 249 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_dev.zip" 250 | function_name = "terminate_cpu_process" 251 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn 252 | handler = "terminate_cpu_process_dev.lambda_handler" 253 | runtime = "python3.12" 254 | timeout = 300 255 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] 256 | reserved_concurrent_executions = 5 257 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 258 | dead_letter_config { 259 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 260 | } 261 | tracing_config { 262 | mode = "Active" 263 | } 264 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_uat File: /lambda.tf:288-306 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 288 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_uat" { 289 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 290 | count = local.is-preproduction == true ? 1 : 0 291 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_uat.zip" 292 | function_name = "terminate_cpu_process" 293 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn 294 | handler = "terminate_cpu_process_uat.lambda_handler" 295 | runtime = "python3.12" 296 | timeout = 300 297 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat] 298 | reserved_concurrent_executions = 5 299 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 300 | dead_letter_config { 301 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 302 | } 303 | tracing_config { 304 | mode = "Active" 305 | } 306 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_terminate_cpu_process_prod File: /lambda.tf:330-348 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 330 | resource "aws_lambda_function" "terraform_lambda_func_terminate_cpu_process_prod" { 331 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 332 | count = local.is-production == true ? 1 : 0 333 | filename = "${path.module}/lambda_scripts/terminate_cpu_process_prod.zip" 334 | function_name = "terminate_cpu_process" 335 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn 336 | handler = "terminate_cpu_process_prod.lambda_handler" 337 | runtime = "python3.12" 338 | timeout = 300 339 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod] 340 | reserved_concurrent_executions = 5 341 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 342 | dead_letter_config { 343 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 344 | } 345 | tracing_config { 346 | mode = "Active" 347 | } 348 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_dev File: /lambda.tf:372-390 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 372 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_dev" { 373 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 374 | count = local.is-development == true ? 1 : 0 375 | filename = "${path.module}/lambda_scripts/send_cpu_notification_dev.zip" 376 | function_name = "send_cpu_notification" 377 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_dev[0].arn 378 | handler = "send_cpu_notification_dev.lambda_handler" 379 | runtime = "python3.12" 380 | timeout = 300 381 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_dev] 382 | reserved_concurrent_executions = 5 383 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:075585660276:code-signing-config:csc-0c7136ccff2de748f" 384 | dead_letter_config { 385 | target_arn = aws_sqs_queue.lambda_queue_dev[0].arn 386 | } 387 | tracing_config { 388 | mode = "Active" 389 | } 390 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_uat File: /lambda.tf:414-432 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 414 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_uat" { 415 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 416 | count = local.is-preproduction == true ? 1 : 0 417 | filename = "${path.module}/lambda_scripts/send_cpu_notification_uat.zip" 418 | function_name = "send_cpu_notification" 419 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_uat[0].arn 420 | handler = "send_cpu_notification_uat.lambda_handler" 421 | runtime = "python3.12" 422 | timeout = 300 423 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_uat] 424 | reserved_concurrent_executions = 5 425 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:172753231260:code-signing-config:csc-0db408c5170a8eba6" 426 | dead_letter_config { 427 | target_arn = aws_sqs_queue.lambda_queue_uat[0].arn 428 | } 429 | tracing_config { 430 | mode = "Active" 431 | } 432 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.terraform_lambda_func_send_cpu_notification_prod File: /lambda.tf:456-474 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 456 | resource "aws_lambda_function" "terraform_lambda_func_send_cpu_notification_prod" { 457 | # checkov:skip=CKV_AWS_117: "PPUD Lambda functions do not require VPC access and can run in no-VPC mode" 458 | count = local.is-production == true ? 1 : 0 459 | filename = "${path.module}/lambda_scripts/send_cpu_notification_prod.zip" 460 | function_name = "send_cpu_notification" 461 | role = aws_iam_role.lambda_role_cloudwatch_invoke_lambda_prod[0].arn 462 | handler = "send_cpu_notification_prod.lambda_handler" 463 | runtime = "python3.12" 464 | timeout = 300 465 | depends_on = [aws_iam_role_policy_attachment.attach_lambda_policy_cloudwatch_invoke_lambda_to_lambda_role_cloudwatch_invoke_lambda_prod] 466 | reserved_concurrent_executions = 5 467 | # code_signing_config_arn = "arn:aws:lambda:eu-west-2:817985104434:code-signing-config:csc-0bafee04a642a41c1" 468 | dead_letter_config { 469 | target_arn = aws_sqs_queue.lambda_queue_prod[0].arn 470 | } 471 | tracing_config { 472 | mode = "Active" 473 | } 474 | } Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads" FAILED for resource: aws_s3_bucket_lifecycle_configuration.MoJ-Health-Check-Reports File: /s3.tf:137-160 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300 137 | resource "aws_s3_bucket_lifecycle_configuration" "MoJ-Health-Check-Reports" { 138 | bucket = aws_s3_bucket.MoJ-Health-Check-Reports.id 139 | rule { 140 | id = "Remove-Old-SSM-Health-Check-Reports" 141 | status = "Enabled" 142 | abort_incomplete_multipart_upload { 143 | days_after_initiation = 7 144 | } 145 | 146 | filter { 147 | prefix = "ssm_output/" 148 | } 149 | 150 | noncurrent_version_transition { 151 | noncurrent_days = 183 152 | storage_class = "STANDARD_IA" 153 | } 154 | 155 | transition { 156 | days = 183 157 | storage_class = "STANDARD_IA" 158 | } 159 | } 160 | } Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.secretdirectoryservice File: /secrets.tf:14-17 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 14 | resource "aws_secretsmanager_secret" "secretdirectoryservice" { 15 | name = "AWSADPASS" 16 | recovery_window_in_days = 0 17 | } Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.secretdirectoryservice File: /secrets.tf:14-17 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 14 | resource "aws_secretsmanager_secret" "secretdirectoryservice" { 15 | name = "AWSADPASS" 16 | recovery_window_in_days = 0 17 | } Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF" FAILED for resource: aws_lb.PPUD-ALB File: /alb_external.tf:4-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf 4 | resource "aws_lb" "PPUD-ALB" { 5 | # checkov:skip=CKV_AWS_28: "ALB is already protected by WAF" 6 | count = local.is-development == true ? 1 : 0 7 | name = "PPUD-ALB" 8 | internal = false 9 | load_balancer_type = "application" 10 | security_groups = [aws_security_group.PPUD-ALB.id] 11 | subnets = [data.aws_subnet.public_subnets_b.id, data.aws_subnet.public_subnets_c.id] 12 | access_logs { 13 | bucket = aws_s3_bucket.moj-log-files-dev[0].id 14 | prefix = "alb-logs" 15 | enabled = true 16 | } 17 | 18 | enable_deletion_protection = true 19 | drop_invalid_header_fields = true 20 | 21 | tags = { 22 | Name = "${var.networking[0].business-unit}-${local.environment}" 23 | } 24 | } Check: CKV2_AWS_28: "Ensure public facing ALB are protected by WAF" FAILED for resource: aws_lb.WAM-ALB File: /alb_external.tf:85-104 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-public-facing-alb-are-protected-by-waf 85 | resource "aws_lb" "WAM-ALB" { 86 | # checkov:skip=CKV_AWS_28: "ALB is already protected by WAF" 87 | name = local.application_data.accounts[local.environment].WAM_ALB 88 | internal = false 89 | load_balancer_type = "application" 90 | security_groups = [aws_security_group.WAM-ALB.id] 91 | subnets = [data.aws_subnet.public_subnets_a.id, data.aws_subnet.public_subnets_b.id] 92 | # access_logs { 93 | # bucket = aws_s3_bucket.moj-log-files-dev[0].id 94 | # prefix = "alb-logs" 95 | # enabled = true 96 | # } 97 | 98 | enable_deletion_protection = true 99 | drop_invalid_header_fields = true 100 | 101 | tags = { 102 | Name = "${var.networking[0].business-unit}-${local.environment}" 103 | } 104 | } checkov_exitcode=1 ```
#### `CTFLint Scan` Failed
Show Output ```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/ppud ***************************** Running tflint in terraform/environments/ppud Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers) on terraform/environments/ppud/lambda.tf line 478: 478: data "archive_file" "zip_the_send_cpu_notification_code_prod" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/ppud/secrets.tf line 4: 4: resource "random_password" "password" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ```
#### `Trivy Scan` Failed
Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/ppud ***************************** Running Trivy in terraform/environments/ppud 2024-10-25T06:54:07Z INFO [vulndb] Need to update DB 2024-10-25T06:54:07Z INFO [vulndb] Downloading vulnerability DB... 2024-10-25T06:54:07Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-25T06:54:09Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-25T06:54:09Z INFO [vuln] Vulnerability scanning is enabled 2024-10-25T06:54:09Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-25T06:54:09Z INFO [misconfig] Need to update the built-in checks 2024-10-25T06:54:09Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-25T06:54:10Z INFO [secret] Secret scanning is enabled 2024-10-25T06:54:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-25T06:54:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-25T06:54:11Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-25T06:54:11Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Memory_percentage_Committed_Bytes_In_Use" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.Windows_IIS_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.cpu_usage_iowait" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.instance_health_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_cpu_usage_iowait" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_ec2_high_memory_usage" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_instance_health_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.linux_system_health_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_C_volume" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_D_volume" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.low_disk_space_root_volume" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-behavior-detected" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-out-of-date" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-engine-update-failed" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-scan-failed" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-signature-update-failed" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.malware-event-state-detected" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_metric_alarm.system_health_check" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.linux_instance_details" value="cty.NilVal" 2024-10-25T06:54:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_instance.windows_instance_details" value="cty.NilVal" 2024-10-25T06:54:12Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="iam.tf:899-906" 2024-10-25T06:54:12Z INFO Number of language-specific files num=0 2024-10-25T06:54:12Z INFO Detected config files num=6 alb_external.tf (terraform) =========================== Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── alb_external.tf:88 via alb_external.tf:85-104 (aws_lb.WAM-ALB) ──────────────────────────────────────── 85 resource "aws_lb" "WAM-ALB" { .. 88 [ internal = false ... 104 } ──────────────────────────────────────── s3.tf (terraform) ================= Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Bucket does not have encryption enabled ════════════════════════════════════════ S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised. See https://avd.aquasec.com/misconfig/avd-aws-0088 ──────────────────────────────────────── s3.tf:115-128 ──────────────────────────────────────── 115 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 116 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 117 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 119 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 120 │ # checkov:skip=CKV_AWS_18: "S3 bucket logging is not required" 121 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 122 │ tags = merge( 123 └ local.tags, ... ──────────────────────────────────────── HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── s3.tf:115-128 ──────────────────────────────────────── 115 ┌ resource "aws_s3_bucket" "MoJ-Health-Check-Reports" { 116 │ # checkov:skip=CKV_AWS_145: "S3 bucket is not public facing, does not contain any sensitive information and does not need encryption" 117 │ # checkov:skip=CKV_AWS_62: "S3 bucket event notification is not required" 118 │ # checkov:skip=CKV2_AWS_62: "S3 bucket event notification is not required" 119 │ # checkov:skip=CKV_AWS_144: "PPUD has a UK Sovereignty requirement so cross region replication is prohibited" 120 │ # checkov:skip=CKV_AWS_18: "S3 bucket logging is not required" 121 │ bucket = local.application_data.accounts[local.environment].ssm_health_check_reports_s3 122 │ tags = merge( 123 └ local.tags, ... ──────────────────────────────────────── trivy_exitcode=1 ```