ministryofjustice / modernisation-platform-environments

Modernisation platform environments • This repository is defined and managed in Terraform
MIT License
35 stars 20 forks source link

attempted refactoring to allow for state machine type #8486

Open luke-a-williams opened 1 day ago

luke-a-williams commented 1 day ago

@matt-heery I have attempted to fix the problem for you on your State Machine and step function.

github-actions[bot] commented 1 day ago

Trivy Scan Failed

Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Trivy in terraform/environments/electronic-monitoring-data/modules/step_function 2024-10-28T18:28:07Z INFO [vulndb] Need to update DB 2024-10-28T18:28:07Z INFO [vulndb] Downloading vulnerability DB... 2024-10-28T18:28:07Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T18:28:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T18:28:10Z INFO [vuln] Vulnerability scanning is enabled 2024-10-28T18:28:10Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-28T18:28:10Z INFO [misconfig] Need to update the built-in checks 2024-10-28T18:28:10Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-28T18:28:10Z INFO [secret] Secret scanning is enabled 2024-10-28T18:28:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-28T18:28:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-28T18:28:11Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-28T18:28:11Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="iam_policies, name, variable_dictionary" 2024-10-28T18:28:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_iam_role_policy_attachment.this_attachment" value="cty.NilVal" 2024-10-28T18:28:11Z INFO Number of language-specific files num=0 2024-10-28T18:28:11Z INFO Detected config files num=1 trivy_exitcode=0 ***************************** Running Trivy in terraform/environments/electronic-monitoring-data 2024-10-28T18:28:11Z INFO [vuln] Vulnerability scanning is enabled 2024-10-28T18:28:11Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-28T18:28:11Z INFO [secret] Secret scanning is enabled 2024-10-28T18:28:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-28T18:28:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-28T18:28:12Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped. err="site-packages directory not found" 2024-10-28T18:28:13Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-28T18:28:13Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1081-1100" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1081-1100" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1081-1100" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1081-1100" 2024-10-28T18:28:21Z INFO Number of language-specific files num=1 2024-10-28T18:28:21Z INFO [pip] Detecting vulnerabilities... 2024-10-28T18:28:21Z INFO Detected config files num=17 lambdas/update_log_table/Dockerfile (dockerfile) ================================================ Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument ════════════════════════════════════════ Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. See https://avd.aquasec.com/misconfig/ds002 ──────────────────────────────────────── trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output ```hcl ***************************** Checkov will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Checkov in terraform/environments/electronic-monitoring-data/modules/step_function Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-28 18:28:23,912 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-28 18:28:23,912 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 43, Failed checks: 7, Skipped checks: 0 Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.step_function_base_permissions File: /main.tf:40-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.step_function_base_permissions File: /main.tf:40-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: aws_sfn_state_machine.this File: /main.tf:4-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: aws_sfn_state_machine.this File: /main.tf:4-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } checkov_exitcode=1 ***************************** Running Checkov in terraform/environments/electronic-monitoring-data Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-28 18:28:26,969 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required) 2024-10-28 18:28:26,969 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required) 2024-10-28 18:28:26,969 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required) 2024-10-28 18:28:26,969 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required) 2024-10-28 18:28:26,998 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-28 18:28:27,004 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 2365, Failed checks: 75, Skipped checks: 38 Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted" FAILED for resource: aws_sns_topic.s3_events File: /data_store.tf:17-19 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15 17 | resource "aws_sns_topic" "s3_events" { 18 | name = "${module.s3-data-bucket.bucket.id}-object-created-topic" 19 | } Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group File: /dms_data_validation_glue_job.tf:58-61 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" { 59 | name = "dms-dv-glue-job" 60 | retention_in_days = 14 61 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group File: /dms_data_validation_glue_job.tf:58-61 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" { 59 | name = "dms-dv-glue-job" 60 | retention_in_days = 14 61 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2 File: /dms_data_validation_glue_job.tf:63-66 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 63 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" { 64 | name = "dms-dv-glue-job-v2" 65 | retention_in_days = 14 66 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2 File: /dms_data_validation_glue_job.tf:63-66 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 63 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" { 64 | name = "dms-dv-glue-job-v2" 65 | retention_in_days = 14 66 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:68-71 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 68 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" { 69 | name = "rds-to-s3-parquet-migration" 70 | retention_in_days = 14 71 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:68-71 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 68 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" { 69 | name = "rds-to-s3-parquet-migration" 70 | retention_in_days = 14 71 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.resizing_parquet_files File: /dms_data_validation_glue_job.tf:73-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 73 | resource "aws_cloudwatch_log_group" "resizing_parquet_files" { 74 | name = "resizing-parquet-files" 75 | retention_in_days = 14 76 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.resizing_parquet_files File: /dms_data_validation_glue_job.tf:73-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 73 | resource "aws_cloudwatch_log_group" "resizing_parquet_files" { 74 | name = "resizing-parquet-files" 75 | retention_in_days = 14 76 | } Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.dms_dv_glue_job_v2 File: /dms_data_validation_glue_job.tf:79-132 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d File: /dms_data_validation_glue_job.tf:140-193 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:196-260 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration_monthly File: /dms_data_validation_glue_job.tf:264-315 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.resizing_parquet_files File: /dms_data_validation_glue_job.tf:318-370 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.catalog_dv_table_glue_job File: /dms_data_validation_glue_job.tf:373-401 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration 373 | resource "aws_glue_job" "catalog_dv_table_glue_job" { 374 | name = "catalog-dv-table-glue-job" 375 | description = "Python script uses Boto3-Athena-Client to run sql-statements" 376 | role_arn = aws_iam_role.dms_dv_glue_job_iam_role.arn 377 | glue_version = "4.0" 378 | worker_type = "G.1X" 379 | number_of_workers = 2 380 | default_arguments = { 381 | "--parquet_output_bucket_name" = module.s3-dms-data-validation-bucket.bucket.id 382 | "--glue_catalog_db_name" = aws_glue_catalog_database.dms_dv_glue_catalog_db.name 383 | "--glue_catalog_tbl_name" = "glue_df_output" 384 | "--continuous-log-logGroup" = aws_cloudwatch_log_group.dms_dv_cw_log_group.name 385 | "--enable-continuous-cloudwatch-log" = "true" 386 | "--enable-continuous-log-filter" = "true" 387 | "--enable-metrics" = "" 388 | } 389 | command { 390 | python_version = "3" 391 | script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py" 392 | } 393 | 394 | tags = merge( 395 | local.tags, 396 | { 397 | Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions", 398 | } 399 | ) 400 | 401 | } Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler File: /dms_glue_crawler.tf:35-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration 35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" { 36 | name = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf" 37 | role = aws_iam_role.dms_dv_glue_job_iam_role.arn 38 | database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name 39 | description = "Crawler to fetch database names" 40 | # table_prefix = "your_table_prefix" 41 | 42 | jdbc_target { 43 | connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name 44 | path = "%" 45 | } 46 | tags = merge( 47 | local.tags, 48 | { 49 | Resource_Type = "RDS-SQLServer Glue-Crawler for DMS", 50 | } 51 | ) 52 | 53 | # provisioner "local-exec" { 54 | # command = "aws glue start-crawler --name ${self.name}" 55 | # } 56 | } Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)" FAILED for resource: aws_dms_replication_instance.dms_replication_instance File: /dms_replication_instance.tf:24-55 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk 24 | resource "aws_dms_replication_instance" "dms_replication_instance" { 25 | allocated_storage = var.dms_allocated_storage_gib 26 | apply_immediately = true 27 | auto_minor_version_upgrade = true 28 | availability_zone = var.dms_availability_zone 29 | engine_version = var.dms_engine_version 30 | # kms_key_arn = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8" 31 | multi_az = false 32 | # preferred_maintenance_window = "sun:10:30-sun:14:30" 33 | publicly_accessible = false 34 | replication_instance_class = var.dms_replication_instance_class 35 | replication_instance_id = "dms-replication-instance-tf" 36 | replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id 37 | 38 | tags = merge( 39 | local.tags, 40 | { 41 | Resource_Type = "DMS Replication Instance", 42 | } 43 | ) 44 | 45 | vpc_security_group_ids = [ 46 | aws_security_group.dms_ri_security_group.id, 47 | ] 48 | 49 | depends_on = [ 50 | aws_iam_role.dms_vpc_role, 51 | aws_iam_role.dms_cloudwatch_logs_role, 52 | aws_iam_role.dms_endpoint_role 53 | ] 54 | 55 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document File: /glue_data.tf:96-111 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 96 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" { 97 | statement { 98 | effect = "Allow" 99 | actions = [ 100 | "ec2:CreateNetworkInterface", 101 | "ec2:DescribeNetworkInterfaces", 102 | "ec2:DeleteNetworkInterface", 103 | "ec2:DescribeVpcEndpoints", 104 | "ec2:DescribeSubnets", 105 | "ec2:DescribeVpcAttribute", 106 | "ec2:DescribeRouteTables", 107 | "ec2:DescribeSecurityGroups" 108 | ] 109 | resources = ["*"] 110 | } 111 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document File: /glue_data.tf:96-111 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 96 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" { 97 | statement { 98 | effect = "Allow" 99 | actions = [ 100 | "ec2:CreateNetworkInterface", 101 | "ec2:DescribeNetworkInterfaces", 102 | "ec2:DeleteNetworkInterface", 103 | "ec2:DescribeVpcEndpoints", 104 | "ec2:DescribeSubnets", 105 | "ec2:DescribeVpcAttribute", 106 | "ec2:DescribeRouteTables", 107 | "ec2:DescribeSecurityGroups" 108 | ] 109 | resources = ["*"] 110 | } 111 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document File: /lambdas_iam.tf:430-487 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document File: /lambdas_iam.tf:430-487 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.db_glue_connection File: /lambdas_secrets.tf:1-3 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 1 | resource "aws_secretsmanager_secret" "db_glue_connection" { 2 | name = "db_glue_connection" 3 | } Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)" FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source File: /modules/dms/endpoints_rds_s3.tf:2-23 Calling File: /dms_main.tf:1-39 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296 2 | resource "aws_dms_endpoint" "dms_rds_source" { 3 | 4 | # certificate_arn = "" 5 | database_name = var.database_name 6 | endpoint_id = "rds-mssql-${replace(var.database_name, "_", "-")}-tf" 7 | endpoint_type = "source" 8 | engine_name = "sqlserver" 9 | # extra_connection_attributes = "" 10 | # kms_key_arn = aws_db_instance.database_2022.kms_key_id 11 | password = var.rds_db_instance_pasword 12 | port = var.rds_db_instance_port 13 | server_name = var.rds_db_server_name 14 | ssl_mode = "require" 15 | username = var.rds_db_username 16 | 17 | tags = merge( 18 | var.local_tags, 19 | { 20 | Resource_Type = "DMS Source Endpoint - RDS MSSQL", 21 | }, 22 | ) 23 | } Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)" FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target File: /modules/dms/endpoints_rds_s3.tf:28-84 Calling File: /dms_main.tf:1-39 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.athena_layer.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.athena_layer.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.get_zipped_file.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.get_zipped_file.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.send_database_to_ap.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.send_database_to_ap.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.db_password File: /server_backups.tf:4-6 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 4 | resource "aws_secretsmanager_secret" "db_password" { 5 | name = "db_password" 6 | } Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.send_database_to_ap File: /step_functions_iam.tf:44-118 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.send_database_to_ap File: /step_functions_iam.tf:44-118 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.db_glue_connection File: /lambdas_secrets.tf:1-3 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 1 | resource "aws_secretsmanager_secret" "db_glue_connection" { 2 | name = "db_glue_connection" 3 | } Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.db_password File: /server_backups.tf:4-6 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 4 | resource "aws_secretsmanager_secret" "db_password" { 5 | name = "db_password" 6 | } Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: aws_security_group.glue_rds_conn_security_group File: /dms_security_groups.tf:71-82 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 71 | resource "aws_security_group" "glue_rds_conn_security_group" { 72 | name = "glue-rds-sqlserver-connection-tf" 73 | description = "Secuity Group for Glue-RDS-Connection" 74 | vpc_id = data.aws_vpc.shared.id 75 | 76 | tags = merge( 77 | local.tags, 78 | { 79 | Resource_Type = "Secuity Group for Glue-RDS-Connection", 80 | } 81 | ) 82 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } dockerfile scan results: Passed checks: 21, Failed checks: 2, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /lambdas/update_log_table/Dockerfile. File: /lambdas/update_log_table/Dockerfile:1-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images 1 | FROM public.ecr.aws/lambda/python:3.11 2 | 3 | COPY requirements.txt . 4 | 5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}" 6 | 7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT} 8 | 9 | CMD ["update_log_table.handler"] Check: CKV_DOCKER_3: "Ensure that a user for the container has been created" FAILED for resource: /lambdas/update_log_table/Dockerfile. File: /lambdas/update_log_table/Dockerfile:1-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created 1 | FROM public.ecr.aws/lambda/python:3.11 2 | 3 | COPY requirements.txt . 4 | 5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}" 6 | 7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT} 8 | 9 | CMD ["update_log_table.handler"] checkov_exitcode=2 ```
#### `CTFLint Scan` Failed
Show Output ```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running tflint in terraform/environments/electronic-monitoring-data/modules/step_function Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: terraform "required_version" attribute is required (terraform_required_version) on terraform/environments/electronic-monitoring-data/modules/step_function/main.tf line 1: Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/modules/step_function/main.tf line 93: 93: resource "aws_cloudwatch_log_group" "this_log_group" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ***************************** Running tflint in terraform/environments/electronic-monitoring-data Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 189: 189: data "archive_file" "query_output_to_list" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/server_backups.tf line 13: 13: resource "random_password" "random_password" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=4 ```
#### `Trivy Scan` Failed
Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Trivy in terraform/environments/electronic-monitoring-data/modules/step_function 2024-10-28T18:28:07Z INFO [vulndb] Need to update DB 2024-10-28T18:28:07Z INFO [vulndb] Downloading vulnerability DB... 2024-10-28T18:28:07Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T18:28:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-28T18:28:10Z INFO [vuln] Vulnerability scanning is enabled 2024-10-28T18:28:10Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-28T18:28:10Z INFO [misconfig] Need to update the built-in checks 2024-10-28T18:28:10Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2024-10-28T18:28:10Z INFO [secret] Secret scanning is enabled 2024-10-28T18:28:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-28T18:28:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-28T18:28:11Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-28T18:28:11Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="iam_policies, name, variable_dictionary" 2024-10-28T18:28:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_iam_role_policy_attachment.this_attachment" value="cty.NilVal" 2024-10-28T18:28:11Z INFO Number of language-specific files num=0 2024-10-28T18:28:11Z INFO Detected config files num=1 trivy_exitcode=0 ***************************** Running Trivy in terraform/environments/electronic-monitoring-data 2024-10-28T18:28:11Z INFO [vuln] Vulnerability scanning is enabled 2024-10-28T18:28:11Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-28T18:28:11Z INFO [secret] Secret scanning is enabled 2024-10-28T18:28:11Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-28T18:28:11Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-28T18:28:12Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped. err="site-packages directory not found" 2024-10-28T18:28:13Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-28T18:28:13Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:15Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-28T18:28:16Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1081-1100" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1081-1100" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1081-1100" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-28T18:28:21Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1081-1100" 2024-10-28T18:28:21Z INFO Number of language-specific files num=1 2024-10-28T18:28:21Z INFO [pip] Detecting vulnerabilities... 2024-10-28T18:28:21Z INFO Detected config files num=17 lambdas/update_log_table/Dockerfile (dockerfile) ================================================ Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument ════════════════════════════════════════ Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. See https://avd.aquasec.com/misconfig/ds002 ──────────────────────────────────────── trivy_exitcode=1 ```
github-actions[bot] commented 12 hours ago

Trivy Scan Failed

Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Trivy in terraform/environments/electronic-monitoring-data/modules/step_function 2024-10-29T14:40:10Z INFO [vulndb] Need to update DB 2024-10-29T14:40:10Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T14:40:10Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T14:40:13Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T14:40:13Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T14:40:13Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T14:40:13Z INFO [misconfig] Need to update the built-in checks 2024-10-29T14:40:13Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-29T14:40:13Z INFO [secret] Secret scanning is enabled 2024-10-29T14:40:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T14:40:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T14:40:14Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T14:40:14Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="iam_policies, name, variable_dictionary" 2024-10-29T14:40:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_iam_role_policy_attachment.this_attachment" value="cty.NilVal" 2024-10-29T14:40:14Z INFO Number of language-specific files num=0 2024-10-29T14:40:14Z INFO Detected config files num=1 trivy_exitcode=0 ***************************** Running Trivy in terraform/environments/electronic-monitoring-data 2024-10-29T14:40:14Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T14:40:14Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T14:40:14Z INFO [secret] Secret scanning is enabled 2024-10-29T14:40:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T14:40:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T14:40:15Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped. err="site-packages directory not found" 2024-10-29T14:40:16Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T14:40:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1081-1100" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1081-1100" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1081-1100" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1081-1100" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-29T14:40:24Z INFO Number of language-specific files num=1 2024-10-29T14:40:24Z INFO [pip] Detecting vulnerabilities... 2024-10-29T14:40:24Z INFO Detected config files num=17 lambdas/update_log_table/Dockerfile (dockerfile) ================================================ Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument ════════════════════════════════════════ Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. See https://avd.aquasec.com/misconfig/ds002 ──────────────────────────────────────── trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output ```hcl ***************************** Checkov will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Checkov in terraform/environments/electronic-monitoring-data/modules/step_function Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-29 14:40:27,045 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-29 14:40:27,045 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 43, Failed checks: 7, Skipped checks: 0 Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.step_function_base_permissions File: /main.tf:40-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.step_function_base_permissions File: /main.tf:40-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: aws_sfn_state_machine.this File: /main.tf:4-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: aws_sfn_state_machine.this File: /main.tf:4-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } checkov_exitcode=1 ***************************** Running Checkov in terraform/environments/electronic-monitoring-data Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-29 14:40:31,246 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required) 2024-10-29 14:40:31,246 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required) 2024-10-29 14:40:31,247 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 14:40:31,247 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required) 2024-10-29 14:40:31,279 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-29 14:40:31,289 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 2365, Failed checks: 75, Skipped checks: 38 Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted" FAILED for resource: aws_sns_topic.s3_events File: /data_store.tf:17-19 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15 17 | resource "aws_sns_topic" "s3_events" { 18 | name = "${module.s3-data-bucket.bucket.id}-object-created-topic" 19 | } Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group File: /dms_data_validation_glue_job.tf:58-61 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" { 59 | name = "dms-dv-glue-job" 60 | retention_in_days = 14 61 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group File: /dms_data_validation_glue_job.tf:58-61 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" { 59 | name = "dms-dv-glue-job" 60 | retention_in_days = 14 61 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2 File: /dms_data_validation_glue_job.tf:63-66 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 63 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" { 64 | name = "dms-dv-glue-job-v2" 65 | retention_in_days = 14 66 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2 File: /dms_data_validation_glue_job.tf:63-66 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 63 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" { 64 | name = "dms-dv-glue-job-v2" 65 | retention_in_days = 14 66 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:68-71 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 68 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" { 69 | name = "rds-to-s3-parquet-migration" 70 | retention_in_days = 14 71 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:68-71 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 68 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" { 69 | name = "rds-to-s3-parquet-migration" 70 | retention_in_days = 14 71 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.resizing_parquet_files File: /dms_data_validation_glue_job.tf:73-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 73 | resource "aws_cloudwatch_log_group" "resizing_parquet_files" { 74 | name = "resizing-parquet-files" 75 | retention_in_days = 14 76 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.resizing_parquet_files File: /dms_data_validation_glue_job.tf:73-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 73 | resource "aws_cloudwatch_log_group" "resizing_parquet_files" { 74 | name = "resizing-parquet-files" 75 | retention_in_days = 14 76 | } Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.dms_dv_glue_job_v2 File: /dms_data_validation_glue_job.tf:79-132 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d File: /dms_data_validation_glue_job.tf:140-193 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:196-260 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration_monthly File: /dms_data_validation_glue_job.tf:264-315 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.resizing_parquet_files File: /dms_data_validation_glue_job.tf:318-370 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.catalog_dv_table_glue_job File: /dms_data_validation_glue_job.tf:373-401 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration 373 | resource "aws_glue_job" "catalog_dv_table_glue_job" { 374 | name = "catalog-dv-table-glue-job" 375 | description = "Python script uses Boto3-Athena-Client to run sql-statements" 376 | role_arn = aws_iam_role.dms_dv_glue_job_iam_role.arn 377 | glue_version = "4.0" 378 | worker_type = "G.1X" 379 | number_of_workers = 2 380 | default_arguments = { 381 | "--parquet_output_bucket_name" = module.s3-dms-data-validation-bucket.bucket.id 382 | "--glue_catalog_db_name" = aws_glue_catalog_database.dms_dv_glue_catalog_db.name 383 | "--glue_catalog_tbl_name" = "glue_df_output" 384 | "--continuous-log-logGroup" = aws_cloudwatch_log_group.dms_dv_cw_log_group.name 385 | "--enable-continuous-cloudwatch-log" = "true" 386 | "--enable-continuous-log-filter" = "true" 387 | "--enable-metrics" = "" 388 | } 389 | command { 390 | python_version = "3" 391 | script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py" 392 | } 393 | 394 | tags = merge( 395 | local.tags, 396 | { 397 | Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions", 398 | } 399 | ) 400 | 401 | } Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler File: /dms_glue_crawler.tf:35-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration 35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" { 36 | name = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf" 37 | role = aws_iam_role.dms_dv_glue_job_iam_role.arn 38 | database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name 39 | description = "Crawler to fetch database names" 40 | # table_prefix = "your_table_prefix" 41 | 42 | jdbc_target { 43 | connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name 44 | path = "%" 45 | } 46 | tags = merge( 47 | local.tags, 48 | { 49 | Resource_Type = "RDS-SQLServer Glue-Crawler for DMS", 50 | } 51 | ) 52 | 53 | # provisioner "local-exec" { 54 | # command = "aws glue start-crawler --name ${self.name}" 55 | # } 56 | } Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)" FAILED for resource: aws_dms_replication_instance.dms_replication_instance File: /dms_replication_instance.tf:24-55 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk 24 | resource "aws_dms_replication_instance" "dms_replication_instance" { 25 | allocated_storage = var.dms_allocated_storage_gib 26 | apply_immediately = true 27 | auto_minor_version_upgrade = true 28 | availability_zone = var.dms_availability_zone 29 | engine_version = var.dms_engine_version 30 | # kms_key_arn = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8" 31 | multi_az = false 32 | # preferred_maintenance_window = "sun:10:30-sun:14:30" 33 | publicly_accessible = false 34 | replication_instance_class = var.dms_replication_instance_class 35 | replication_instance_id = "dms-replication-instance-tf" 36 | replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id 37 | 38 | tags = merge( 39 | local.tags, 40 | { 41 | Resource_Type = "DMS Replication Instance", 42 | } 43 | ) 44 | 45 | vpc_security_group_ids = [ 46 | aws_security_group.dms_ri_security_group.id, 47 | ] 48 | 49 | depends_on = [ 50 | aws_iam_role.dms_vpc_role, 51 | aws_iam_role.dms_cloudwatch_logs_role, 52 | aws_iam_role.dms_endpoint_role 53 | ] 54 | 55 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document File: /glue_data.tf:96-111 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 96 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" { 97 | statement { 98 | effect = "Allow" 99 | actions = [ 100 | "ec2:CreateNetworkInterface", 101 | "ec2:DescribeNetworkInterfaces", 102 | "ec2:DeleteNetworkInterface", 103 | "ec2:DescribeVpcEndpoints", 104 | "ec2:DescribeSubnets", 105 | "ec2:DescribeVpcAttribute", 106 | "ec2:DescribeRouteTables", 107 | "ec2:DescribeSecurityGroups" 108 | ] 109 | resources = ["*"] 110 | } 111 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document File: /glue_data.tf:96-111 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 96 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" { 97 | statement { 98 | effect = "Allow" 99 | actions = [ 100 | "ec2:CreateNetworkInterface", 101 | "ec2:DescribeNetworkInterfaces", 102 | "ec2:DeleteNetworkInterface", 103 | "ec2:DescribeVpcEndpoints", 104 | "ec2:DescribeSubnets", 105 | "ec2:DescribeVpcAttribute", 106 | "ec2:DescribeRouteTables", 107 | "ec2:DescribeSecurityGroups" 108 | ] 109 | resources = ["*"] 110 | } 111 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document File: /lambdas_iam.tf:430-487 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document File: /lambdas_iam.tf:430-487 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.db_glue_connection File: /lambdas_secrets.tf:1-3 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 1 | resource "aws_secretsmanager_secret" "db_glue_connection" { 2 | name = "db_glue_connection" 3 | } Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)" FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source File: /modules/dms/endpoints_rds_s3.tf:2-23 Calling File: /dms_main.tf:1-39 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296 2 | resource "aws_dms_endpoint" "dms_rds_source" { 3 | 4 | # certificate_arn = "" 5 | database_name = var.database_name 6 | endpoint_id = "rds-mssql-${replace(var.database_name, "_", "-")}-tf" 7 | endpoint_type = "source" 8 | engine_name = "sqlserver" 9 | # extra_connection_attributes = "" 10 | # kms_key_arn = aws_db_instance.database_2022.kms_key_id 11 | password = var.rds_db_instance_pasword 12 | port = var.rds_db_instance_port 13 | server_name = var.rds_db_server_name 14 | ssl_mode = "require" 15 | username = var.rds_db_username 16 | 17 | tags = merge( 18 | var.local_tags, 19 | { 20 | Resource_Type = "DMS Source Endpoint - RDS MSSQL", 21 | }, 22 | ) 23 | } Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)" FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target File: /modules/dms/endpoints_rds_s3.tf:28-84 Calling File: /dms_main.tf:1-39 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.athena_layer.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.athena_layer.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.get_zipped_file.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.get_zipped_file.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.send_database_to_ap.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.send_database_to_ap.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.db_password File: /server_backups.tf:4-6 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 4 | resource "aws_secretsmanager_secret" "db_password" { 5 | name = "db_password" 6 | } Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.send_database_to_ap File: /step_functions_iam.tf:44-118 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.send_database_to_ap File: /step_functions_iam.tf:44-118 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.db_glue_connection File: /lambdas_secrets.tf:1-3 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 1 | resource "aws_secretsmanager_secret" "db_glue_connection" { 2 | name = "db_glue_connection" 3 | } Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.db_password File: /server_backups.tf:4-6 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 4 | resource "aws_secretsmanager_secret" "db_password" { 5 | name = "db_password" 6 | } Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: aws_security_group.glue_rds_conn_security_group File: /dms_security_groups.tf:71-82 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 71 | resource "aws_security_group" "glue_rds_conn_security_group" { 72 | name = "glue-rds-sqlserver-connection-tf" 73 | description = "Secuity Group for Glue-RDS-Connection" 74 | vpc_id = data.aws_vpc.shared.id 75 | 76 | tags = merge( 77 | local.tags, 78 | { 79 | Resource_Type = "Secuity Group for Glue-RDS-Connection", 80 | } 81 | ) 82 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } dockerfile scan results: Passed checks: 21, Failed checks: 2, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /lambdas/update_log_table/Dockerfile. File: /lambdas/update_log_table/Dockerfile:1-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images 1 | FROM public.ecr.aws/lambda/python:3.11 2 | 3 | COPY requirements.txt . 4 | 5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}" 6 | 7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT} 8 | 9 | CMD ["update_log_table.handler"] Check: CKV_DOCKER_3: "Ensure that a user for the container has been created" FAILED for resource: /lambdas/update_log_table/Dockerfile. File: /lambdas/update_log_table/Dockerfile:1-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created 1 | FROM public.ecr.aws/lambda/python:3.11 2 | 3 | COPY requirements.txt . 4 | 5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}" 6 | 7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT} 8 | 9 | CMD ["update_log_table.handler"] checkov_exitcode=2 ```
#### `CTFLint Scan` Failed
Show Output ```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running tflint in terraform/environments/electronic-monitoring-data/modules/step_function Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: terraform "required_version" attribute is required (terraform_required_version) on terraform/environments/electronic-monitoring-data/modules/step_function/main.tf line 1: Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/modules/step_function/main.tf line 93: 93: resource "aws_cloudwatch_log_group" "this_log_group" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ***************************** Running tflint in terraform/environments/electronic-monitoring-data Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 189: 189: data "archive_file" "query_output_to_list" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/server_backups.tf line 13: 13: resource "random_password" "random_password" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=4 ```
#### `Trivy Scan` Failed
Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Trivy in terraform/environments/electronic-monitoring-data/modules/step_function 2024-10-29T14:40:10Z INFO [vulndb] Need to update DB 2024-10-29T14:40:10Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T14:40:10Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T14:40:13Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T14:40:13Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T14:40:13Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T14:40:13Z INFO [misconfig] Need to update the built-in checks 2024-10-29T14:40:13Z INFO [misconfig] Downloading the built-in checks... 156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-29T14:40:13Z INFO [secret] Secret scanning is enabled 2024-10-29T14:40:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T14:40:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T14:40:14Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T14:40:14Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="iam_policies, name, variable_dictionary" 2024-10-29T14:40:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_iam_role_policy_attachment.this_attachment" value="cty.NilVal" 2024-10-29T14:40:14Z INFO Number of language-specific files num=0 2024-10-29T14:40:14Z INFO Detected config files num=1 trivy_exitcode=0 ***************************** Running Trivy in terraform/environments/electronic-monitoring-data 2024-10-29T14:40:14Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T14:40:14Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T14:40:14Z INFO [secret] Secret scanning is enabled 2024-10-29T14:40:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T14:40:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T14:40:15Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped. err="site-packages directory not found" 2024-10-29T14:40:16Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T14:40:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T14:40:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1081-1100" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1081-1100" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1081-1100" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1081-1100" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-29T14:40:24Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-29T14:40:24Z INFO Number of language-specific files num=1 2024-10-29T14:40:24Z INFO [pip] Detecting vulnerabilities... 2024-10-29T14:40:24Z INFO Detected config files num=17 lambdas/update_log_table/Dockerfile (dockerfile) ================================================ Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument ════════════════════════════════════════ Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. See https://avd.aquasec.com/misconfig/ds002 ──────────────────────────────────────── trivy_exitcode=1 ```
github-actions[bot] commented 11 hours ago

Trivy Scan Failed

Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Trivy in terraform/environments/electronic-monitoring-data/modules/step_function 2024-10-29T15:30:11Z INFO [vulndb] Need to update DB 2024-10-29T15:30:11Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T15:30:11Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T15:30:13Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T15:30:13Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T15:30:13Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T15:30:13Z INFO [misconfig] Need to update the built-in checks 2024-10-29T15:30:13Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T15:30:13Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 276.386µs, allowed: 44000/minute\n\n" 2024-10-29T15:30:13Z INFO [secret] Secret scanning is enabled 2024-10-29T15:30:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T15:30:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T15:30:14Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T15:30:14Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="iam_policies, name, variable_dictionary" 2024-10-29T15:30:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_iam_role_policy_attachment.this_attachment" value="cty.NilVal" 2024-10-29T15:30:14Z INFO Number of language-specific files num=0 2024-10-29T15:30:14Z INFO Detected config files num=1 trivy_exitcode=0 ***************************** Running Trivy in terraform/environments/electronic-monitoring-data 2024-10-29T15:30:14Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T15:30:14Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T15:30:14Z INFO [misconfig] Need to update the built-in checks 2024-10-29T15:30:14Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T15:30:14Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 301.241µs, allowed: 44000/minute" 2024-10-29T15:30:14Z INFO [secret] Secret scanning is enabled 2024-10-29T15:30:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T15:30:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T15:30:15Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped. err="site-packages directory not found" 2024-10-29T15:30:16Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T15:30:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1081-1100" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1081-1100" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1081-1100" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1081-1100" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-29T15:30:24Z INFO Number of language-specific files num=1 2024-10-29T15:30:24Z INFO [pip] Detecting vulnerabilities... 2024-10-29T15:30:24Z INFO Detected config files num=17 lambdas/update_log_table/Dockerfile (dockerfile) ================================================ Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument ════════════════════════════════════════ Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. See https://avd.aquasec.com/misconfig/ds002 ──────────────────────────────────────── trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output ```hcl ***************************** Checkov will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Checkov in terraform/environments/electronic-monitoring-data/modules/step_function Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-29 15:30:27,118 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-29 15:30:27,118 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 43, Failed checks: 7, Skipped checks: 0 Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: aws_sfn_state_machine.this File: /main.tf:4-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: aws_sfn_state_machine.this File: /main.tf:4-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.step_function_base_permissions File: /main.tf:40-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.step_function_base_permissions File: /main.tf:40-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.this_log_key_document File: /main.tf:56-80 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } checkov_exitcode=1 ***************************** Running Checkov in terraform/environments/electronic-monitoring-data Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-29 15:30:30,228 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3:None (for external modules, the --download-external-modules flag is required) 2024-10-29 15:30:30,228 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060:None (for external modules, the --download-external-modules flag is required) 2024-10-29 15:30:30,228 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 15:30:30,228 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=52a40b0:None (for external modules, the --download-external-modules flag is required) 2024-10-29 15:30:30,263 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-29 15:30:30,267 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 2365, Failed checks: 75, Skipped checks: 38 Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted" FAILED for resource: aws_sns_topic.s3_events File: /data_store.tf:17-19 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15 17 | resource "aws_sns_topic" "s3_events" { 18 | name = "${module.s3-data-bucket.bucket.id}-object-created-topic" 19 | } Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC" FAILED for resource: aws_lambda_function.calculate_checksum_lambda File: /data_store.tf:82-98 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 82 | resource "aws_lambda_function" "calculate_checksum_lambda" { 83 | filename = "lambdas/calculate_checksum_lambda.zip" 84 | function_name = "calculate-checksum-lambda" 85 | role = aws_iam_role.calculate_checksum_lambda.arn 86 | handler = "calculate_checksum_lambda.handler" 87 | runtime = "python3.12" 88 | memory_size = 4096 89 | timeout = 900 90 | 91 | environment { 92 | variables = { 93 | Checksum = var.checksum_algorithm 94 | } 95 | } 96 | 97 | tags = local.tags 98 | } Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC" FAILED for resource: aws_lambda_function.summarise_zip_lambda File: /data_store.tf:157-168 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1 157 | resource "aws_lambda_function" "summarise_zip_lambda" { 158 | filename = "lambdas/summarise_zip_lambda.zip" 159 | function_name = "summarise-zip-lambda" 160 | role = aws_iam_role.summarise_zip_lambda.arn 161 | handler = "summarise_zip_lambda.handler" 162 | runtime = "python3.12" 163 | timeout = 900 164 | memory_size = 1024 165 | layers = ["arn:aws:lambda:eu-west-2:017000801446:layer:AWSLambdaPowertoolsPythonV2:67"] 166 | source_code_hash = data.archive_file.summarise_zip_lambda.output_base64sha256 167 | tags = local.tags 168 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group File: /dms_data_validation_glue_job.tf:58-61 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" { 59 | name = "dms-dv-glue-job" 60 | retention_in_days = 14 61 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group File: /dms_data_validation_glue_job.tf:58-61 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 58 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group" { 59 | name = "dms-dv-glue-job" 60 | retention_in_days = 14 61 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2 File: /dms_data_validation_glue_job.tf:63-66 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 63 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" { 64 | name = "dms-dv-glue-job-v2" 65 | retention_in_days = 14 66 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.dms_dv_cw_log_group_v2 File: /dms_data_validation_glue_job.tf:63-66 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 63 | resource "aws_cloudwatch_log_group" "dms_dv_cw_log_group_v2" { 64 | name = "dms-dv-glue-job-v2" 65 | retention_in_days = 14 66 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:68-71 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 68 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" { 69 | name = "rds-to-s3-parquet-migration" 70 | retention_in_days = 14 71 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:68-71 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 68 | resource "aws_cloudwatch_log_group" "rds_to_s3_parquet_migration" { 69 | name = "rds-to-s3-parquet-migration" 70 | retention_in_days = 14 71 | } Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year" FAILED for resource: aws_cloudwatch_log_group.resizing_parquet_files File: /dms_data_validation_glue_job.tf:73-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338 73 | resource "aws_cloudwatch_log_group" "resizing_parquet_files" { 74 | name = "resizing-parquet-files" 75 | retention_in_days = 14 76 | } Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS" FAILED for resource: aws_cloudwatch_log_group.resizing_parquet_files File: /dms_data_validation_glue_job.tf:73-76 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms 73 | resource "aws_cloudwatch_log_group" "resizing_parquet_files" { 74 | name = "resizing-parquet-files" 75 | retention_in_days = 14 76 | } Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.dms_dv_glue_job_v2 File: /dms_data_validation_glue_job.tf:79-132 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.dms_dv_glue_job_v4d File: /dms_data_validation_glue_job.tf:140-193 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration File: /dms_data_validation_glue_job.tf:196-260 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.rds_to_s3_parquet_migration_monthly File: /dms_data_validation_glue_job.tf:264-315 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.resizing_parquet_files File: /dms_data_validation_glue_job.tf:318-370 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_job.catalog_dv_table_glue_job File: /dms_data_validation_glue_job.tf:373-401 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration 373 | resource "aws_glue_job" "catalog_dv_table_glue_job" { 374 | name = "catalog-dv-table-glue-job" 375 | description = "Python script uses Boto3-Athena-Client to run sql-statements" 376 | role_arn = aws_iam_role.dms_dv_glue_job_iam_role.arn 377 | glue_version = "4.0" 378 | worker_type = "G.1X" 379 | number_of_workers = 2 380 | default_arguments = { 381 | "--parquet_output_bucket_name" = module.s3-dms-data-validation-bucket.bucket.id 382 | "--glue_catalog_db_name" = aws_glue_catalog_database.dms_dv_glue_catalog_db.name 383 | "--glue_catalog_tbl_name" = "glue_df_output" 384 | "--continuous-log-logGroup" = aws_cloudwatch_log_group.dms_dv_cw_log_group.name 385 | "--enable-continuous-cloudwatch-log" = "true" 386 | "--enable-continuous-log-filter" = "true" 387 | "--enable-metrics" = "" 388 | } 389 | command { 390 | python_version = "3" 391 | script_location = "s3://${module.s3-glue-job-script-bucket.bucket.id}/create_or_replace_dv_table.py" 392 | } 393 | 394 | tags = merge( 395 | local.tags, 396 | { 397 | Resource_Type = "Py script as glue-job that creates dv table / refreshes its partitions", 398 | } 399 | ) 400 | 401 | } Check: CKV_AWS_195: "Ensure Glue component has a security configuration associated" FAILED for resource: aws_glue_crawler.rds_sqlserver_db_glue_crawler File: /dms_glue_crawler.tf:35-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-glue-component-is-associated-with-a-security-configuration 35 | resource "aws_glue_crawler" "rds_sqlserver_db_glue_crawler" { 36 | name = "rds-sqlserver-${aws_db_instance.database_2022.identifier}-tf" 37 | role = aws_iam_role.dms_dv_glue_job_iam_role.arn 38 | database_name = aws_glue_catalog_database.rds_sqlserver_glue_catalog_db.name 39 | description = "Crawler to fetch database names" 40 | # table_prefix = "your_table_prefix" 41 | 42 | jdbc_target { 43 | connection_name = aws_glue_connection.glue_rds_sqlserver_db_connection.name 44 | path = "%" 45 | } 46 | tags = merge( 47 | local.tags, 48 | { 49 | Resource_Type = "RDS-SQLServer Glue-Crawler for DMS", 50 | } 51 | ) 52 | 53 | # provisioner "local-exec" { 54 | # command = "aws glue start-crawler --name ${self.name}" 55 | # } 56 | } Check: CKV_AWS_212: "Ensure DMS replication instance is encrypted by KMS using a customer managed Key (CMK)" FAILED for resource: aws_dms_replication_instance.dms_replication_instance File: /dms_replication_instance.tf:24-55 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ebs-volume-is-encrypted-by-key-management-service-kms-using-a-customer-managed-key-cmk 24 | resource "aws_dms_replication_instance" "dms_replication_instance" { 25 | allocated_storage = var.dms_allocated_storage_gib 26 | apply_immediately = true 27 | auto_minor_version_upgrade = true 28 | availability_zone = var.dms_availability_zone 29 | engine_version = var.dms_engine_version 30 | # kms_key_arn = "arn:aws:kms:eu-west-2:800964199911:key/b7f54acb-16a3-4958-9340-3bdf5f5842d8" 31 | multi_az = false 32 | # preferred_maintenance_window = "sun:10:30-sun:14:30" 33 | publicly_accessible = false 34 | replication_instance_class = var.dms_replication_instance_class 35 | replication_instance_id = "dms-replication-instance-tf" 36 | replication_subnet_group_id = aws_dms_replication_subnet_group.dms_replication_subnet_group.id 37 | 38 | tags = merge( 39 | local.tags, 40 | { 41 | Resource_Type = "DMS Replication Instance", 42 | } 43 | ) 44 | 45 | vpc_security_group_ids = [ 46 | aws_security_group.dms_ri_security_group.id, 47 | ] 48 | 49 | depends_on = [ 50 | aws_iam_role.dms_vpc_role, 51 | aws_iam_role.dms_cloudwatch_logs_role, 52 | aws_iam_role.dms_endpoint_role 53 | ] 54 | 55 | } Check: CKV_AWS_260: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 80" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-security-groups-do-not-allow-ingress-from-00000-to-port-80 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_24: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 22" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-1-port-security 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_25: "Ensure no security groups allow ingress from 0.0.0.0:0 to port 3389" FAILED for resource: aws_vpc_security_group_ingress_rule.glue_rds_conn_inbound File: /dms_security_groups.tf:95-103 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-2 95 | resource "aws_vpc_security_group_ingress_rule" "glue_rds_conn_inbound" { 96 | security_group_id = aws_security_group.glue_rds_conn_security_group.id 97 | 98 | referenced_security_group_id = aws_security_group.glue_rds_conn_security_group.id 99 | ip_protocol = "tcp" 100 | from_port = 0 101 | to_port = 65535 102 | description = "Required ports open for Glue-RDS-Connection" 103 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document File: /glue_data.tf:96-111 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 96 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" { 97 | statement { 98 | effect = "Allow" 99 | actions = [ 100 | "ec2:CreateNetworkInterface", 101 | "ec2:DescribeNetworkInterfaces", 102 | "ec2:DeleteNetworkInterface", 103 | "ec2:DescribeVpcEndpoints", 104 | "ec2:DescribeSubnets", 105 | "ec2:DescribeVpcAttribute", 106 | "ec2:DescribeRouteTables", 107 | "ec2:DescribeSecurityGroups" 108 | ] 109 | resources = ["*"] 110 | } 111 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.glue_notebook_ec2_iam_policy_document File: /glue_data.tf:96-111 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 96 | data "aws_iam_policy_document" "glue_notebook_ec2_iam_policy_document" { 97 | statement { 98 | effect = "Allow" 99 | actions = [ 100 | "ec2:CreateNetworkInterface", 101 | "ec2:DescribeNetworkInterfaces", 102 | "ec2:DeleteNetworkInterface", 103 | "ec2:DescribeVpcEndpoints", 104 | "ec2:DescribeSubnets", 105 | "ec2:DescribeVpcAttribute", 106 | "ec2:DescribeRouteTables", 107 | "ec2:DescribeSecurityGroups" 108 | ] 109 | resources = ["*"] 110 | } 111 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document File: /lambdas_iam.tf:430-487 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.load_json_table_s3_policy_document File: /lambdas_iam.tf:430-487 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.db_glue_connection File: /lambdas_secrets.tf:1-3 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 1 | resource "aws_secretsmanager_secret" "db_glue_connection" { 2 | name = "db_glue_connection" 3 | } Check: CKV_AWS_296: "Ensure DMS endpoint uses Customer Managed Key (CMK)" FAILED for resource: module.dms_task.aws_dms_endpoint.dms_rds_source File: /modules/dms/endpoints_rds_s3.tf:2-23 Calling File: /dms_main.tf:1-39 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-296 2 | resource "aws_dms_endpoint" "dms_rds_source" { 3 | 4 | # certificate_arn = "" 5 | database_name = var.database_name 6 | endpoint_id = "rds-mssql-${replace(var.database_name, "_", "-")}-tf" 7 | endpoint_type = "source" 8 | engine_name = "sqlserver" 9 | # extra_connection_attributes = "" 10 | # kms_key_arn = aws_db_instance.database_2022.kms_key_id 11 | password = var.rds_db_instance_pasword 12 | port = var.rds_db_instance_port 13 | server_name = var.rds_db_server_name 14 | ssl_mode = "require" 15 | username = var.rds_db_username 16 | 17 | tags = merge( 18 | var.local_tags, 19 | { 20 | Resource_Type = "DMS Source Endpoint - RDS MSSQL", 21 | }, 22 | ) 23 | } Check: CKV_AWS_298: "Ensure DMS S3 uses Customer Managed Key (CMK)" FAILED for resource: module.dms_task.aws_dms_s3_endpoint.dms_s3_parquet_target File: /modules/dms/endpoints_rds_s3.tf:28-84 Calling File: /dms_main.tf:1-39 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-298 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.athena_layer.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.athena_layer.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.athena_layer.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.athena_layer.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:5-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.get_zipped_file.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.get_zipped_file.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.get_zipped_file.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:38-49 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.step_function_base_permissions File: /modules/step_function/main.tf:40-49 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 40 | data "aws_iam_policy_document" "step_function_base_permissions" { 41 | statement { 42 | effect = "Allow" 43 | actions = [ 44 | "sns:Publish", 45 | "sqs:SendMessage" 46 | ] 47 | resources = ["*"] 48 | } 49 | } Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: module.send_database_to_ap.aws_iam_policy_document.this_log_key_document File: /modules/step_function/main.tf:56-80 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 56 | data "aws_iam_policy_document" "this_log_key_document" { 57 | statement { 58 | sid = "EnableIAMUserPermissions" 59 | effect = "Allow" 60 | principals { 61 | type = "AWS" 62 | identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"] 63 | } 64 | actions = ["kms:*"] 65 | resources = ["*"] 66 | } 67 | 68 | statement { 69 | sid = "EnableLogServicePermissions" 70 | effect = "Allow" 71 | principals { 72 | type = "Service" 73 | identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"] 74 | } 75 | actions = [ 76 | "kms:*", 77 | ] 78 | resources = ["*"] 79 | } 80 | } Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled" FAILED for resource: module.send_database_to_ap.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled" FAILED for resource: module.send_database_to_ap.aws_sfn_state_machine.this File: /modules/step_function/main.tf:4-9 Calling File: /step_functions_main.tf:20-31 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284 4 | resource "aws_sfn_state_machine" "this" { 5 | name = var.name 6 | role_arn = aws_iam_role.step_function_role.arn 7 | type = var.state_machine_type 8 | definition = templatefile("step_function_definitions/${var.name}.json.tmpl", var.variable_dictionary) 9 | } Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK" FAILED for resource: aws_secretsmanager_secret.db_password File: /server_backups.tf:4-6 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms 4 | resource "aws_secretsmanager_secret" "db_password" { 5 | name = "db_password" 6 | } Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-354 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-73 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/ensure-that-enhanced-monitoring-is-enabled-for-amazon-rds-instances 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-353 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-293 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-that-respective-logs-of-amazon-relational-database-service-amazon-rds-are-enabled 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints" FAILED for resource: aws_iam_policy_document.send_database_to_ap File: /step_functions_iam.tf:44-118 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions" FAILED for resource: aws_iam_policy_document.send_database_to_ap File: /step_functions_iam.tf:44-118 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356 Code lines for this resource are too many. Please use IDE of your choice to review the file. Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.db_glue_connection File: /lambdas_secrets.tf:1-3 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 1 | resource "aws_secretsmanager_secret" "db_glue_connection" { 2 | name = "db_glue_connection" 3 | } Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled" FAILED for resource: aws_secretsmanager_secret.db_password File: /server_backups.tf:4-6 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57 4 | resource "aws_secretsmanager_secret" "db_password" { 5 | name = "db_password" 6 | } Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled" FAILED for resource: aws_db_instance.database_2022 File: /server_backups.tf:21-56 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60 21 | resource "aws_db_instance" "database_2022" { 22 | # count = local.is-production ? 1 : 0 23 | 24 | identifier = "database-v2022" 25 | license_model = "license-included" 26 | username = "admin" 27 | password = aws_secretsmanager_secret_version.db_password.secret_string 28 | 29 | engine = "sqlserver-se" 30 | engine_version = "16.00.4105.2.v1" 31 | instance_class = "db.m5.large" 32 | 33 | storage_type = "gp2" 34 | allocated_storage = 2100 35 | max_allocated_storage = 2500 36 | storage_encrypted = true 37 | 38 | multi_az = false 39 | 40 | db_subnet_group_name = aws_db_subnet_group.db.id 41 | vpc_security_group_ids = [aws_security_group.db.id] 42 | port = 1433 43 | 44 | auto_minor_version_upgrade = true 45 | skip_final_snapshot = true 46 | maintenance_window = "Mon:00:00-Mon:03:00" 47 | deletion_protection = false 48 | 49 | option_group_name = aws_db_option_group.sqlserver_backup_restore_2022.name 50 | 51 | iam_database_authentication_enabled = false 52 | 53 | apply_immediately = true 54 | 55 | tags = local.tags 56 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: aws_security_group.glue_rds_conn_security_group File: /dms_security_groups.tf:71-82 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 71 | resource "aws_security_group" "glue_rds_conn_security_group" { 72 | name = "glue-rds-sqlserver-connection-tf" 73 | description = "Secuity Group for Glue-RDS-Connection" 74 | vpc_id = data.aws_vpc.shared.id 75 | 76 | tags = merge( 77 | local.tags, 78 | { 79 | Resource_Type = "Secuity Group for Glue-RDS-Connection", 80 | } 81 | ) 82 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.buddi.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.capita.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource" FAILED for resource: module.g4s.module.landing_zone_security_groups.aws_security_group.this File: /modules/landing_zone/server_security_group/main.tf:7-22 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis 7 | resource "aws_security_group" "this" { 8 | name = "${var.supplier}-${var.user_name}-inbound-ips" 9 | description = "Allowed IP addresses for ${var.user_name} on ${var.supplier} server" 10 | vpc_id = var.vpc_id 11 | 12 | lifecycle { 13 | create_before_destroy = true 14 | } 15 | 16 | tags = merge( 17 | var.local_tags, 18 | { 19 | supplier = var.user_name, 20 | }, 21 | ) 22 | } dockerfile scan results: Passed checks: 21, Failed checks: 2, Skipped checks: 0 Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images" FAILED for resource: /lambdas/update_log_table/Dockerfile. File: /lambdas/update_log_table/Dockerfile:1-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images 1 | FROM public.ecr.aws/lambda/python:3.11 2 | 3 | COPY requirements.txt . 4 | 5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}" 6 | 7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT} 8 | 9 | CMD ["update_log_table.handler"] Check: CKV_DOCKER_3: "Ensure that a user for the container has been created" FAILED for resource: /lambdas/update_log_table/Dockerfile. File: /lambdas/update_log_table/Dockerfile:1-9 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created 1 | FROM public.ecr.aws/lambda/python:3.11 2 | 3 | COPY requirements.txt . 4 | 5 | RUN pip install -r requirements.txt --target "${LAMBDA_TASK_ROOT}" 6 | 7 | COPY update_log_table.py ${LAMBDA_TASK_ROOT} 8 | 9 | CMD ["update_log_table.handler"] checkov_exitcode=2 ```
#### `CTFLint Scan` Failed
Show Output ```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running tflint in terraform/environments/electronic-monitoring-data/modules/step_function Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: terraform "required_version" attribute is required (terraform_required_version) on terraform/environments/electronic-monitoring-data/modules/step_function/main.tf line 1: Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/modules/step_function/main.tf line 93: 93: resource "aws_cloudwatch_log_group" "this_log_group" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=2 ***************************** Running tflint in terraform/environments/electronic-monitoring-data Excluding the following checks: terraform_unused_declarations 2 issue(s) found: Warning: Missing version constraint for provider "archive" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/lambdas_main.tf line 189: 189: data "archive_file" "query_output_to_list" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers) on terraform/environments/electronic-monitoring-data/server_backups.tf line 13: 13: resource "random_password" "random_password" { Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md tflint_exitcode=4 ```
#### `Trivy Scan` Failed
Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/electronic-monitoring-data/modules/step_function terraform/environments/electronic-monitoring-data ***************************** Running Trivy in terraform/environments/electronic-monitoring-data/modules/step_function 2024-10-29T15:30:11Z INFO [vulndb] Need to update DB 2024-10-29T15:30:11Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T15:30:11Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T15:30:13Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T15:30:13Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T15:30:13Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T15:30:13Z INFO [misconfig] Need to update the built-in checks 2024-10-29T15:30:13Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T15:30:13Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 276.386µs, allowed: 44000/minute\n\n" 2024-10-29T15:30:13Z INFO [secret] Secret scanning is enabled 2024-10-29T15:30:13Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T15:30:13Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T15:30:14Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T15:30:14Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="iam_policies, name, variable_dictionary" 2024-10-29T15:30:14Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_iam_role_policy_attachment.this_attachment" value="cty.NilVal" 2024-10-29T15:30:14Z INFO Number of language-specific files num=0 2024-10-29T15:30:14Z INFO Detected config files num=1 trivy_exitcode=0 ***************************** Running Trivy in terraform/environments/electronic-monitoring-data 2024-10-29T15:30:14Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T15:30:14Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T15:30:14Z INFO [misconfig] Need to update the built-in checks 2024-10-29T15:30:14Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T15:30:14Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 301.241µs, allowed: 44000/minute" 2024-10-29T15:30:14Z INFO [secret] Secret scanning is enabled 2024-10-29T15:30:14Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T15:30:14Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T15:30:15Z WARN [pip] Unable to find python `site-packages` directory. License detection is skipped. err="site-packages directory not found" 2024-10-29T15:30:16Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T15:30:16Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:17Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_metadata_from_rds_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.query_output_to_list.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.data.aws_subnet.local_account" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.dynamic.tag" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.rds_bastion.module.s3-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-athena-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-clamav-definitions-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-data-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-data-validation-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-premigrate-assess-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-dms-target-store-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:18Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.create_athena_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.get_file_keys_for_table.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-general-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-fms-specials-landing-bucket.module.this-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-glue-job-script-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-json-directory-structure-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.output_file_structure_as_json_from_zip.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.principals" value="cty.NilVal" 2024-10-29T15:30:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3-logging-bucket.dynamic.condition" value="cty.NilVal" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-logging" range="s3.tf:1081-1100" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=f759060/main.tf:153-163" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=95ed3c3/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=568694e50e03630d99cb569eafa06a0b879a1239/main.tf:171-179" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="s3.tf:1081-1100" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:281-286" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-cloudwatch-log-group-customer-key" range="modules/api_step_function/main.tf:407-411" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="s3.tf:1081-1100" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="s3.tf:1081-1100" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-29T15:30:24Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="modules/landing_bucket_iam_user_access/main.tf:2-10" 2024-10-29T15:30:24Z INFO Number of language-specific files num=1 2024-10-29T15:30:24Z INFO [pip] Detecting vulnerabilities... 2024-10-29T15:30:24Z INFO Detected config files num=17 lambdas/update_log_table/Dockerfile (dockerfile) ================================================ Tests: 20 (SUCCESSES: 19, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Specify at least 1 USER command in Dockerfile with non-root user as argument ════════════════════════════════════════ Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile. See https://avd.aquasec.com/misconfig/ds002 ──────────────────────────────────────── trivy_exitcode=1 ```