ministryofjustice / modernisation-platform-environments

Modernisation platform environments • This repository is defined and managed in Terraform
MIT License
35 stars 20 forks source link

reduce CPU per task #8460

Closed roncitrus closed 4 days ago

github-actions[bot] commented 4 days ago

Trivy Scan Failed

Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/cdpt-chaps ***************************** Running Trivy in terraform/environments/cdpt-chaps 2024-10-25T10:43:54Z INFO [vulndb] Need to update DB 2024-10-25T10:43:54Z INFO [vulndb] Downloading vulnerability DB... 2024-10-25T10:43:54Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-25T10:43:56Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-25T10:43:56Z INFO [vuln] Vulnerability scanning is enabled 2024-10-25T10:43:56Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-25T10:43:56Z INFO [misconfig] Need to update the built-in checks 2024-10-25T10:43:56Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-25T10:43:56Z INFO [secret] Secret scanning is enabled 2024-10-25T10:43:56Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-25T10:43:56Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-25T10:43:57Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-25T10:43:57Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-25T10:43:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-25T10:43:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-25T10:44:00Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-25T10:44:00Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-25T10:44:00Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148" 2024-10-25T10:44:00Z INFO Number of language-specific files num=0 2024-10-25T10:44:00Z INFO Detected config files num=9 (terraform) ============ Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Application load balancer is not set to drop invalid headers. ════════════════════════════════════════ Passing unknown or invalid headers through to the target poses a potential risk of compromise. By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer. See https://avd.aquasec.com/misconfig/avd-aws-0052 ──────────────────────────────────────── HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── database.tf (terraform) ======================= Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Instance does not have storage encryption enabled. ════════════════════════════════════════ Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id. See https://avd.aquasec.com/misconfig/avd-aws-0080 ──────────────────────────────────────── database.tf:5-24 ──────────────────────────────────────── 5 ┌ resource "aws_db_instance" "database" { 6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 │ storage_type = "gp2" 8 │ engine = "sqlserver-web" 9 │ engine_version = "14.00.3381.3.v1" 10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class 11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 │ username = local.application_data.accounts[local.environment].db_user 13 └ password = aws_secretsmanager_secret_version.db_password.secret_string .. ──────────────────────────────────────── trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output ```hcl ***************************** Checkov will check the following folders: terraform/environments/cdpt-chaps ***************************** Running Checkov in terraform/environments/cdpt-chaps Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-25 10:44:03,225 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required) 2024-10-25 10:44:03,225 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required) 2024-10-25 10:44:03,225 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required) terraform scan results: Passed checks: 110, Failed checks: 40, Skipped checks: 3 Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash" FAILED for resource: bastion_linux File: /bastion_linux.tf:5-36 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision 5 | module "bastion_linux" { 6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1" 7 | 8 | providers = { 9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts 10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant 11 | } 12 | 13 | # s3 - used for logs and user ssh public keys 14 | bucket_name = "bastion" 15 | # public keys 16 | public_key_data = local.public_key_data.keys[local.environment] 17 | # logs 18 | log_auto_clean = "Enabled" 19 | log_standard_ia_days = 30 # days before moving to IA storage 20 | log_glacier_days = 60 # days before moving to Glacier 21 | log_expiry_days = 180 # days before log expiration 22 | # bastion 23 | allow_ssh_commands = false 24 | 25 | app_name = var.networking[0].application 26 | business_unit = local.vpc_name 27 | subnet_set = local.subnet_set 28 | environment = local.environment 29 | region = "eu-west-2" 30 | 31 | extra_user_data_content = "yum install -y openldap-clients" 32 | 33 | # Tags 34 | tags_common = local.tags 35 | tags_prefix = terraform.workspace 36 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:70-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 70 | data "aws_iam_policy_document" "rds-kms" { 71 | statement { 72 | effect = "Allow" 73 | actions = ["kms:*"] 74 | resources = ["*"] 75 | principals { 76 | type = "AWS" 77 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 78 | } 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:70-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 70 | data "aws_iam_policy_document" "rds-kms" { 71 | statement { 72 | effect = "Allow" 73 | actions = ["kms:*"] 74 | resources = ["*"] 75 | principals { 76 | type = "AWS" 77 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 78 | } 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:70-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 70 | data "aws_iam_policy_document" "rds-kms" { 71 | statement { 72 | effect = "Allow" 73 | actions = ["kms:*"] 74 | resources = ["*"] 75 | principals { 76 | type = "AWS" 77 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 78 | } 79 | } 80 | } Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" FAILED for resource: aws_db_instance.database File: /database.tf:5-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.db_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | ca_cert_identifier = "rds-ca-rsa2048-g1" 21 | apply_immediately = true 22 | 23 | 24 | } Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest" FAILED for resource: aws_db_instance.database File: /database.tf:5-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.db_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | ca_cert_identifier = "rds-ca-rsa2048-g1" 21 | apply_immediately = true 22 | 23 | 24 | } Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.db_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | ca_cert_identifier = "rds-ca-rsa2048-g1" 21 | apply_immediately = true 22 | 23 | 24 | } Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" FAILED for resource: aws_db_instance.database File: /database.tf:5-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.db_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | ca_cert_identifier = "rds-ca-rsa2048-g1" 21 | apply_immediately = true 22 | 23 | 24 | } Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.db_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | ca_cert_identifier = "rds-ca-rsa2048-g1" 21 | apply_immediately = true 22 | 23 | 24 | } Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" FAILED for resource: aws_db_instance.database File: /database.tf:5-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.db_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | ca_cert_identifier = "rds-ca-rsa2048-g1" 21 | apply_immediately = true 22 | 23 | 24 | } Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.db_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | ca_cert_identifier = "rds-ca-rsa2048-g1" 21 | apply_immediately = true 22 | 23 | 24 | } Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-24 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.db_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | ca_cert_identifier = "rds-ca-rsa2048-g1" 21 | apply_immediately = true 22 | 23 | 24 | } Check: CKV_AWS_23: "Ensure every security group and rule has a description" FAILED for resource: aws_security_group.db File: /database.tf:37-53 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31 37 | resource "aws_security_group" "db" { 38 | name = "${local.application_name}-db-sg" 39 | description = "Allow DB inbound traffic" 40 | vpc_id = data.aws_vpc.shared.id 41 | ingress { 42 | from_port = 1433 43 | to_port = 1433 44 | protocol = "tcp" 45 | cidr_blocks = [data.aws_vpc.shared.cidr_block] 46 | } 47 | egress { 48 | from_port = 0 49 | to_port = 0 50 | protocol = "-1" 51 | cidr_blocks = ["0.0.0.0/0"] 52 | } 53 | } Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy.ec2_instance_policy File: /ecs.tf:6-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289 6 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards 7 | name = "${local.application_name}-ec2-instance-policy" 8 | 9 | policy = < #### `CTFLint Scan` Failed
Show Output ```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/cdpt-chaps ***************************** Running tflint in terraform/environments/cdpt-chaps Excluding the following checks: terraform_unused_declarations 7 issue(s) found: Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-chaps/ecs.tf line 100: 100: value = "${aws_db_instance.database.address}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-chaps/ecs.tf line 104: 104: value = "${aws_db_instance.database.username}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-chaps/ecs.tf line 108: 108: value = "${local.application_data.accounts[local.environment].db_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-chaps/ecs.tf line 112: 112: value = "${local.application_data.accounts[local.environment].client_id}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-chaps/ecs.tf line 116: 116: value = "${local.application_data.accounts[local.environment].env_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-chaps/ecs.tf line 171: 171: Name = "${local.application_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/cdpt-chaps/secrets.tf line 7: 7: resource "random_password" "password_long" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ```
#### `Trivy Scan` Failed
Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/cdpt-chaps ***************************** Running Trivy in terraform/environments/cdpt-chaps 2024-10-25T10:43:54Z INFO [vulndb] Need to update DB 2024-10-25T10:43:54Z INFO [vulndb] Downloading vulnerability DB... 2024-10-25T10:43:54Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-25T10:43:56Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-25T10:43:56Z INFO [vuln] Vulnerability scanning is enabled 2024-10-25T10:43:56Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-25T10:43:56Z INFO [misconfig] Need to update the built-in checks 2024-10-25T10:43:56Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-25T10:43:56Z INFO [secret] Secret scanning is enabled 2024-10-25T10:43:56Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-25T10:43:56Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-25T10:43:57Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-25T10:43:57Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-25T10:43:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-25T10:43:57Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-25T10:43:58Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-25T10:44:00Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-25T10:44:00Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-25T10:44:00Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148" 2024-10-25T10:44:00Z INFO Number of language-specific files num=0 2024-10-25T10:44:00Z INFO Detected config files num=9 (terraform) ============ Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Application load balancer is not set to drop invalid headers. ════════════════════════════════════════ Passing unknown or invalid headers through to the target poses a potential risk of compromise. By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer. See https://avd.aquasec.com/misconfig/avd-aws-0052 ──────────────────────────────────────── HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── database.tf (terraform) ======================= Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Instance does not have storage encryption enabled. ════════════════════════════════════════ Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id. See https://avd.aquasec.com/misconfig/avd-aws-0080 ──────────────────────────────────────── database.tf:5-24 ──────────────────────────────────────── 5 ┌ resource "aws_db_instance" "database" { 6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 │ storage_type = "gp2" 8 │ engine = "sqlserver-web" 9 │ engine_version = "14.00.3381.3.v1" 10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class 11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 │ username = local.application_data.accounts[local.environment].db_user 13 └ password = aws_secretsmanager_secret_version.db_password.secret_string .. ──────────────────────────────────────── trivy_exitcode=1 ```