issues
search
ministryofjustice
/
modernisation-platform-environments
Modernisation platform environments • This repository is defined and managed in Terraform
MIT License
35
stars
20
forks
source link
ifs ami selection fix
#8483
Closed
roncitrus
closed
1 day ago
github-actions[bot]
commented
1 day ago
Trivy Scan
Failed
Show Output
```hcl ***************************** Trivy will check the following folders: terraform/environments/cdpt-ifs ***************************** Running Trivy in terraform/environments/cdpt-ifs 2024-10-28T16:18:44Z INFO [vulndb] Need to update DB 2024-10-28T16:18:44Z INFO [vulndb] Downloading vulnerability DB... 2024-10-28T16:18:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T16:18:46Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T16:18:46Z INFO [vuln] Vulnerability scanning is enabled 2024-10-28T16:18:46Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-28T16:18:46Z INFO [misconfig] Need to update the built-in checks 2024-10-28T16:18:46Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-28T16:18:47Z INFO [secret] Secret scanning is enabled 2024-10-28T16:18:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-28T16:18:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-28T16:18:48Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-28T16:18:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-28T16:18:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T16:18:53Z INFO Number of language-specific files num=0 2024-10-28T16:18:53Z INFO Detected config files num=10 (terraform) ============ Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Application load balancer is not set to drop invalid headers. ════════════════════════════════════════ Passing unknown or invalid headers through to the target poses a potential risk of compromise. By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer. See https://avd.aquasec.com/misconfig/avd-aws-0052 ──────────────────────────────────────── HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── database.tf (terraform) ======================= Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Instance does not have storage encryption enabled. ════════════════════════════════════════ Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id. See https://avd.aquasec.com/misconfig/avd-aws-0080 ──────────────────────────────────────── database.tf:5-20 ──────────────────────────────────────── 5 ┌ resource "aws_db_instance" "database" { 6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 │ storage_type = "gp2" 8 │ engine = "sqlserver-web" 9 │ engine_version = "14.00.3381.3.v1" 10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class 11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 │ username = local.application_data.accounts[local.environment].db_user 13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string .. ──────────────────────────────────────── trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output
```hcl ***************************** Checkov will check the following folders: terraform/environments/cdpt-ifs ***************************** Running Checkov in terraform/environments/cdpt-ifs Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-28 16:18:56,255 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required) 2024-10-28 16:18:56,255 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required) 2024-10-28 16:18:56,255 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required) 2024-10-28 16:18:56,279 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-28 16:18:56,284 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 109, Failed checks: 40, Skipped checks: 3 Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash" FAILED for resource: bastion_linux File: /bastion_linux.tf:5-37 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision 5 | module "bastion_linux" { 6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1" 7 | 8 | providers = { 9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts 10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant 11 | } 12 | 13 | # s3 - used for logs and user ssh public keys 14 | bucket_name = "bastion" 15 | 16 | # public keys 17 | public_key_data = local.public_key_data.keys[local.environment] 18 | # logs 19 | log_auto_clean = "Enabled" 20 | log_standard_ia_days = 30 # days before moving to IA storage 21 | log_glacier_days = 60 # days before moving to Glacier 22 | log_expiry_days = 180 # days before log expiration 23 | # bastion 24 | allow_ssh_commands = false 25 | 26 | app_name = var.networking[0].application 27 | business_unit = local.vpc_name 28 | subnet_set = local.subnet_set 29 | environment = local.environment 30 | region = "eu-west-2" 31 | 32 | extra_user_data_content = "yum install -y openldap-clients" 33 | 34 | # Tags 35 | tags_common = local.tags 36 | tags_prefix = terraform.workspace 37 | } Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_23: "Ensure every security group and rule has a description" FAILED for resource: aws_security_group.db File: /database.tf:33-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31 33 | resource "aws_security_group" "db" { 34 | name = "${local.application_name}-db-sg" 35 | description = "Allow DB inbound traffic" 36 | vpc_id = data.aws_vpc.shared.id 37 | ingress { 38 | from_port = 1433 39 | to_port = 1433 40 | protocol = "tcp" 41 | cidr_blocks = [data.aws_vpc.shared.cidr_block] 42 | } 43 | egress { 44 | from_port = 0 45 | to_port = 0 46 | protocol = "-1" 47 | cidr_blocks = ["0.0.0.0/0"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:66-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 66 | data "aws_iam_policy_document" "rds-kms" { 67 | statement { 68 | effect = "Allow" 69 | actions = ["kms:*"] 70 | resources = ["*"] 71 | principals { 72 | type = "AWS" 73 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 74 | } 75 | } 76 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:66-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 66 | data "aws_iam_policy_document" "rds-kms" { 67 | statement { 68 | effect = "Allow" 69 | actions = ["kms:*"] 70 | resources = ["*"] 71 | principals { 72 | type = "AWS" 73 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 74 | } 75 | } 76 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:66-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 66 | data "aws_iam_policy_document" "rds-kms" { 67 | statement { 68 | effect = "Allow" 69 | actions = ["kms:*"] 70 | resources = ["*"] 71 | principals { 72 | type = "AWS" 73 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 74 | } 75 | } 76 | } Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy.ec2_instance_policy File: /ecs.tf:9-55 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289 9 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards 10 | name = "${local.application_name}-ec2-instance-policy" 11 | 12 | policy = <
#### `CTFLint Scan` Failed
Show Output
```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/cdpt-ifs ***************************** Running tflint in terraform/environments/cdpt-ifs Excluding the following checks: terraform_unused_declarations 7 issue(s) found: Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 117: 117: value = "${aws_db_instance.database.address}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 121: 121: value = "${aws_db_instance.database.username}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 125: 125: value = "${local.application_data.accounts[local.environment].db_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 129: 129: value = "${local.application_data.accounts[local.environment].client_id}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 133: 133: value = "${local.application_data.accounts[local.environment].env_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 402: 402: Name = "${local.application_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/cdpt-ifs/secrets.tf line 5: 5: resource "random_password" "password_long" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ```
#### `Trivy Scan` Failed
Show Output
```hcl ***************************** Trivy will check the following folders: terraform/environments/cdpt-ifs ***************************** Running Trivy in terraform/environments/cdpt-ifs 2024-10-28T16:18:44Z INFO [vulndb] Need to update DB 2024-10-28T16:18:44Z INFO [vulndb] Downloading vulnerability DB... 2024-10-28T16:18:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T16:18:46Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T16:18:46Z INFO [vuln] Vulnerability scanning is enabled 2024-10-28T16:18:46Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-28T16:18:46Z INFO [misconfig] Need to update the built-in checks 2024-10-28T16:18:46Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-28T16:18:47Z INFO [secret] Secret scanning is enabled 2024-10-28T16:18:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-28T16:18:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-28T16:18:48Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-28T16:18:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-28T16:18:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T16:18:53Z INFO Number of language-specific files num=0 2024-10-28T16:18:53Z INFO Detected config files num=10 (terraform) ============ Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Application load balancer is not set to drop invalid headers. ════════════════════════════════════════ Passing unknown or invalid headers through to the target poses a potential risk of compromise. By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer. See https://avd.aquasec.com/misconfig/avd-aws-0052 ──────────────────────────────────────── HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── database.tf (terraform) ======================= Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Instance does not have storage encryption enabled. ════════════════════════════════════════ Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id. See https://avd.aquasec.com/misconfig/avd-aws-0080 ──────────────────────────────────────── database.tf:5-20 ──────────────────────────────────────── 5 ┌ resource "aws_db_instance" "database" { 6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 │ storage_type = "gp2" 8 │ engine = "sqlserver-web" 9 │ engine_version = "14.00.3381.3.v1" 10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class 11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 │ username = local.application_data.accounts[local.environment].db_user 13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string .. ──────────────────────────────────────── trivy_exitcode=1 ```
Trivy Scan
FailedShow Output
```hcl ***************************** Trivy will check the following folders: terraform/environments/cdpt-ifs ***************************** Running Trivy in terraform/environments/cdpt-ifs 2024-10-28T16:18:44Z INFO [vulndb] Need to update DB 2024-10-28T16:18:44Z INFO [vulndb] Downloading vulnerability DB... 2024-10-28T16:18:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T16:18:46Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T16:18:46Z INFO [vuln] Vulnerability scanning is enabled 2024-10-28T16:18:46Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-28T16:18:46Z INFO [misconfig] Need to update the built-in checks 2024-10-28T16:18:46Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-28T16:18:47Z INFO [secret] Secret scanning is enabled 2024-10-28T16:18:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-28T16:18:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-28T16:18:48Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-28T16:18:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-28T16:18:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T16:18:53Z INFO Number of language-specific files num=0 2024-10-28T16:18:53Z INFO Detected config files num=10 (terraform) ============ Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Application load balancer is not set to drop invalid headers. ════════════════════════════════════════ Passing unknown or invalid headers through to the target poses a potential risk of compromise. By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer. See https://avd.aquasec.com/misconfig/avd-aws-0052 ──────────────────────────────────────── HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── database.tf (terraform) ======================= Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Instance does not have storage encryption enabled. ════════════════════════════════════════ Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id. See https://avd.aquasec.com/misconfig/avd-aws-0080 ──────────────────────────────────────── database.tf:5-20 ──────────────────────────────────────── 5 ┌ resource "aws_db_instance" "database" { 6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 │ storage_type = "gp2" 8 │ engine = "sqlserver-web" 9 │ engine_version = "14.00.3381.3.v1" 10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class 11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 │ username = local.application_data.accounts[local.environment].db_user 13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string .. ──────────────────────────────────────── trivy_exitcode=1 ```Show Output
```hcl ***************************** Checkov will check the following folders: terraform/environments/cdpt-ifs ***************************** Running Checkov in terraform/environments/cdpt-ifs Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-28 16:18:56,255 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required) 2024-10-28 16:18:56,255 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required) 2024-10-28 16:18:56,255 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee:None (for external modules, the --download-external-modules flag is required) 2024-10-28 16:18:56,279 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-28 16:18:56,284 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 109, Failed checks: 40, Skipped checks: 3 Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash" FAILED for resource: bastion_linux File: /bastion_linux.tf:5-37 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision 5 | module "bastion_linux" { 6 | source = "github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1" 7 | 8 | providers = { 9 | aws.share-host = aws.core-vpc # core-vpc-(environment) holds the networking for all accounts 10 | aws.share-tenant = aws # The default provider (unaliased, `aws`) is the tenant 11 | } 12 | 13 | # s3 - used for logs and user ssh public keys 14 | bucket_name = "bastion" 15 | 16 | # public keys 17 | public_key_data = local.public_key_data.keys[local.environment] 18 | # logs 19 | log_auto_clean = "Enabled" 20 | log_standard_ia_days = 30 # days before moving to IA storage 21 | log_glacier_days = 60 # days before moving to Glacier 22 | log_expiry_days = 180 # days before log expiration 23 | # bastion 24 | allow_ssh_commands = false 25 | 26 | app_name = var.networking[0].application 27 | business_unit = local.vpc_name 28 | subnet_set = local.subnet_set 29 | environment = local.environment 30 | region = "eu-west-2" 31 | 32 | extra_user_data_content = "yum install -y openldap-clients" 33 | 34 | # Tags 35 | tags_common = local.tags 36 | tags_prefix = terraform.workspace 37 | } Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_16: "Ensure all data stored in the RDS is securely encrypted at rest" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-4 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-db-instance-gets-all-minor-upgrades-automatically 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" FAILED for resource: aws_db_instance.database File: /database.tf:5-20 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled 5 | resource "aws_db_instance" "database" { 6 | allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 | storage_type = "gp2" 8 | engine = "sqlserver-web" 9 | engine_version = "14.00.3381.3.v1" 10 | instance_class = local.application_data.accounts[local.environment].db_instance_class 11 | identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 | username = local.application_data.accounts[local.environment].db_user 13 | password = aws_secretsmanager_secret_version.dbase_password.secret_string 14 | vpc_security_group_ids = [aws_security_group.db.id] 15 | depends_on = [aws_security_group.db] 16 | snapshot_identifier = local.application_data.accounts[local.environment].db_snapshot_identifier 17 | db_subnet_group_name = aws_db_subnet_group.db.id 18 | final_snapshot_identifier = "final-snapshot-${formatdate("YYYYMMDDhhmmss", timestamp())}" 19 | publicly_accessible = false 20 | } Check: CKV_AWS_23: "Ensure every security group and rule has a description" FAILED for resource: aws_security_group.db File: /database.tf:33-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31 33 | resource "aws_security_group" "db" { 34 | name = "${local.application_name}-db-sg" 35 | description = "Allow DB inbound traffic" 36 | vpc_id = data.aws_vpc.shared.id 37 | ingress { 38 | from_port = 1433 39 | to_port = 1433 40 | protocol = "tcp" 41 | cidr_blocks = [data.aws_vpc.shared.cidr_block] 42 | } 43 | egress { 44 | from_port = 0 45 | to_port = 0 46 | protocol = "-1" 47 | cidr_blocks = ["0.0.0.0/0"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:66-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 66 | data "aws_iam_policy_document" "rds-kms" { 67 | statement { 68 | effect = "Allow" 69 | actions = ["kms:*"] 70 | resources = ["*"] 71 | principals { 72 | type = "AWS" 73 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 74 | } 75 | } 76 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:66-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 66 | data "aws_iam_policy_document" "rds-kms" { 67 | statement { 68 | effect = "Allow" 69 | actions = ["kms:*"] 70 | resources = ["*"] 71 | principals { 72 | type = "AWS" 73 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 74 | } 75 | } 76 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.rds-kms File: /database.tf:66-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 66 | data "aws_iam_policy_document" "rds-kms" { 67 | statement { 68 | effect = "Allow" 69 | actions = ["kms:*"] 70 | resources = ["*"] 71 | principals { 72 | type = "AWS" 73 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 74 | } 75 | } 76 | } Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy.ec2_instance_policy File: /ecs.tf:9-55 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-289 9 | resource "aws_iam_policy" "ec2_instance_policy" { #tfsec:ignore:aws-iam-no-policy-wildcards 10 | name = "${local.application_name}-ec2-instance-policy" 11 | 12 | policy = <Show Output
```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/cdpt-ifs ***************************** Running tflint in terraform/environments/cdpt-ifs Excluding the following checks: terraform_unused_declarations 7 issue(s) found: Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 117: 117: value = "${aws_db_instance.database.address}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 121: 121: value = "${aws_db_instance.database.username}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 125: 125: value = "${local.application_data.accounts[local.environment].db_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 129: 129: value = "${local.application_data.accounts[local.environment].client_id}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 133: 133: value = "${local.application_data.accounts[local.environment].env_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/cdpt-ifs/ecs.tf line 402: 402: Name = "${local.application_name}" Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/cdpt-ifs/secrets.tf line 5: 5: resource "random_password" "password_long" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ```Show Output
```hcl ***************************** Trivy will check the following folders: terraform/environments/cdpt-ifs ***************************** Running Trivy in terraform/environments/cdpt-ifs 2024-10-28T16:18:44Z INFO [vulndb] Need to update DB 2024-10-28T16:18:44Z INFO [vulndb] Downloading vulnerability DB... 2024-10-28T16:18:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T16:18:46Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T16:18:46Z INFO [vuln] Vulnerability scanning is enabled 2024-10-28T16:18:46Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-28T16:18:46Z INFO [misconfig] Need to update the built-in checks 2024-10-28T16:18:46Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-28T16:18:47Z INFO [secret] Secret scanning is enabled 2024-10-28T16:18:47Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-28T16:18:47Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-28T16:18:48Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-28T16:18:48Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-28T16:18:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:48Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.dynamic.tag" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bastion_linux.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.principals" value="cty.NilVal" 2024-10-28T16:18:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.lb_access_logs_enabled.module.s3-bucket[0].dynamic.condition" value="cty.NilVal" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-elb-alb-not-public" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/main.tf:148" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-loadbalancer?ref=6f59e1ce47df66bc63ee9720b7c58993d1ee64ee/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T16:18:53Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=v4.2.1/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T16:18:53Z INFO Number of language-specific files num=0 2024-10-28T16:18:53Z INFO Detected config files num=10 (terraform) ============ Tests: 2 (SUCCESSES: 0, FAILURES: 2, EXCEPTIONS: 0) Failures: 2 (HIGH: 2, CRITICAL: 0) HIGH: Application load balancer is not set to drop invalid headers. ════════════════════════════════════════ Passing unknown or invalid headers through to the target poses a potential risk of compromise. By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer. See https://avd.aquasec.com/misconfig/avd-aws-0052 ──────────────────────────────────────── HIGH: Load balancer is exposed publicly. ════════════════════════════════════════ There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 ──────────────────────────────────────── database.tf (terraform) ======================= Tests: 2 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 1) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Instance does not have storage encryption enabled. ════════════════════════════════════════ Encryption should be enabled for an RDS Database instances. When enabling encryption by setting the kms_key_id. See https://avd.aquasec.com/misconfig/avd-aws-0080 ──────────────────────────────────────── database.tf:5-20 ──────────────────────────────────────── 5 ┌ resource "aws_db_instance" "database" { 6 │ allocated_storage = local.application_data.accounts[local.environment].db_allocated_storage 7 │ storage_type = "gp2" 8 │ engine = "sqlserver-web" 9 │ engine_version = "14.00.3381.3.v1" 10 │ instance_class = local.application_data.accounts[local.environment].db_instance_class 11 │ identifier = local.application_data.accounts[local.environment].db_instance_identifier 12 │ username = local.application_data.accounts[local.environment].db_user 13 └ password = aws_secretsmanager_secret_version.dbase_password.secret_string .. ──────────────────────────────────────── trivy_exitcode=1 ```