Show Output
```hcl
*****************************
Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-10-29T16:10:57Z INFO [vulndb] Need to update DB
2024-10-29T16:10:57Z INFO [vulndb] Downloading vulnerability DB...
2024-10-29T16:10:57Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:10:59Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:10:59Z INFO [vuln] Vulnerability scanning is enabled
2024-10-29T16:10:59Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T16:10:59Z INFO [misconfig] Need to update the built-in checks
2024-10-29T16:10:59Z INFO [misconfig] Downloading the built-in checks...
2024-10-29T16:10:59Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 179.29µs, allowed: 44000/minute"
2024-10-29T16:10:59Z INFO [secret] Secret scanning is enabled
2024-10-29T16:10:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T16:10:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T16:11:00Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T16:11:00Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags"
2024-10-29T16:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-10-29T16:11:01Z INFO Number of language-specific files num=0
2024-10-29T16:11:01Z INFO Detected config files num=6
s3.tf (terraform)
=================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:212-220
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
213 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
214 │ rule {
215 │ apply_server_side_encryption_by_default {
216 │ kms_master_key_id = var.account_config.kms_keys.general_shared
217 │ sse_algorithm = "aws:kms"
218 │ }
219 │ }
220 └ }
────────────────────────────────────────
trivy_exitcode=1
```
#### `Checkov Scan` Success
Show Output
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-29 16:11:04,251 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 16:11:04,251 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 16:11:04,276 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices
2024-10-29 16:11:04,284 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges
terraform scan results:
Passed checks: 241, Failed checks: 0, Skipped checks: 24
checkov_exitcode=0
```
#### `CTFLint Scan` Failed
Show Output
```hcl
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10:
10: "${module.s3_bucket_oracledb_backups.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 74:
74: "${module.s3_bucket_oracledb_backups.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 87:
87: "${aws_s3_bucket.s3_bucket_oracledb_backups_inventory.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 126:
126: "${module.s3_bucket_oracle_statistics[0].bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 255:
255: values = ["${var.account_info.id}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 267:
267: values = ["${module.s3_bucket_oracledb_backups.bucket.arn}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 331:
331: resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
tflint_exitcode=2
```
#### `Trivy Scan` Failed
Show Output
```hcl
*****************************
Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-10-29T16:10:57Z INFO [vulndb] Need to update DB
2024-10-29T16:10:57Z INFO [vulndb] Downloading vulnerability DB...
2024-10-29T16:10:57Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:10:59Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:10:59Z INFO [vuln] Vulnerability scanning is enabled
2024-10-29T16:10:59Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T16:10:59Z INFO [misconfig] Need to update the built-in checks
2024-10-29T16:10:59Z INFO [misconfig] Downloading the built-in checks...
2024-10-29T16:10:59Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 179.29µs, allowed: 44000/minute"
2024-10-29T16:10:59Z INFO [secret] Secret scanning is enabled
2024-10-29T16:10:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T16:10:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T16:11:00Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T16:11:00Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags"
2024-10-29T16:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:11:01Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-10-29T16:11:01Z INFO Number of language-specific files num=0
2024-10-29T16:11:01Z INFO Detected config files num=6
s3.tf (terraform)
=================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:212-220
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
213 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
214 │ rule {
215 │ apply_server_side_encryption_by_default {
216 │ kms_master_key_id = var.account_config.kms_keys.general_shared
217 │ sse_algorithm = "aws:kms"
218 │ }
219 │ }
220 └ }
────────────────────────────────────────
trivy_exitcode=1
```
Show Output
```hcl
*****************************
Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-10-29T16:17:08Z INFO [vulndb] Need to update DB
2024-10-29T16:17:08Z INFO [vulndb] Downloading vulnerability DB...
2024-10-29T16:17:08Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:17:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:17:10Z INFO [vuln] Vulnerability scanning is enabled
2024-10-29T16:17:10Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T16:17:10Z INFO [misconfig] Need to update the built-in checks
2024-10-29T16:17:10Z INFO [misconfig] Downloading the built-in checks...
2024-10-29T16:17:10Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 467.27µs, allowed: 44000/minute\n\n"
2024-10-29T16:17:10Z INFO [secret] Secret scanning is enabled
2024-10-29T16:17:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T16:17:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T16:17:11Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T16:17:11Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags"
2024-10-29T16:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-10-29T16:17:12Z INFO Number of language-specific files num=0
2024-10-29T16:17:12Z INFO Detected config files num=6
s3.tf (terraform)
=================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:212-220
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
213 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
214 │ rule {
215 │ apply_server_side_encryption_by_default {
216 │ kms_master_key_id = var.account_config.kms_keys.general_shared
217 │ sse_algorithm = "aws:kms"
218 │ }
219 │ }
220 └ }
────────────────────────────────────────
trivy_exitcode=1
```
#### `Checkov Scan` Success
Show Output
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-29 16:17:14,933 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 16:17:14,933 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 16:17:14,958 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices
2024-10-29 16:17:14,958 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges
terraform scan results:
Passed checks: 241, Failed checks: 0, Skipped checks: 24
checkov_exitcode=0
```
#### `CTFLint Scan` Failed
Show Output
```hcl
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10:
10: "${module.s3_bucket_oracledb_backups.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 74:
74: "${module.s3_bucket_oracledb_backups.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 87:
87: "${aws_s3_bucket.s3_bucket_oracledb_backups_inventory.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 126:
126: "${module.s3_bucket_oracle_statistics[0].bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 255:
255: values = ["${var.account_info.id}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 267:
267: values = ["${module.s3_bucket_oracledb_backups.bucket.arn}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 332:
332: resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
tflint_exitcode=2
```
#### `Trivy Scan` Failed
Show Output
```hcl
*****************************
Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-10-29T16:17:08Z INFO [vulndb] Need to update DB
2024-10-29T16:17:08Z INFO [vulndb] Downloading vulnerability DB...
2024-10-29T16:17:08Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:17:10Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:17:10Z INFO [vuln] Vulnerability scanning is enabled
2024-10-29T16:17:10Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T16:17:10Z INFO [misconfig] Need to update the built-in checks
2024-10-29T16:17:10Z INFO [misconfig] Downloading the built-in checks...
2024-10-29T16:17:10Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 467.27µs, allowed: 44000/minute\n\n"
2024-10-29T16:17:10Z INFO [secret] Secret scanning is enabled
2024-10-29T16:17:10Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T16:17:10Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T16:17:11Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T16:17:11Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags"
2024-10-29T16:17:11Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:17:12Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:17:12Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-10-29T16:17:12Z INFO Number of language-specific files num=0
2024-10-29T16:17:12Z INFO Detected config files num=6
s3.tf (terraform)
=================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:212-220
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
213 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
214 │ rule {
215 │ apply_server_side_encryption_by_default {
216 │ kms_master_key_id = var.account_config.kms_keys.general_shared
217 │ sse_algorithm = "aws:kms"
218 │ }
219 │ }
220 └ }
────────────────────────────────────────
trivy_exitcode=1
```
Show Output
```hcl
*****************************
Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-10-29T16:21:24Z INFO [vulndb] Need to update DB
2024-10-29T16:21:24Z INFO [vulndb] Downloading vulnerability DB...
2024-10-29T16:21:24Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:21:27Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:21:27Z INFO [vuln] Vulnerability scanning is enabled
2024-10-29T16:21:27Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T16:21:27Z INFO [misconfig] Need to update the built-in checks
2024-10-29T16:21:27Z INFO [misconfig] Downloading the built-in checks...
2024-10-29T16:21:27Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 869.78µs, allowed: 44000/minute"
2024-10-29T16:21:27Z INFO [secret] Secret scanning is enabled
2024-10-29T16:21:27Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T16:21:27Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T16:21:27Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T16:21:27Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags"
2024-10-29T16:21:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-10-29T16:21:28Z INFO Number of language-specific files num=0
2024-10-29T16:21:28Z INFO Detected config files num=6
s3.tf (terraform)
=================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:212-220
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
213 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
214 │ rule {
215 │ apply_server_side_encryption_by_default {
216 │ kms_master_key_id = var.account_config.kms_keys.general_shared
217 │ sse_algorithm = "aws:kms"
218 │ }
219 │ }
220 └ }
────────────────────────────────────────
trivy_exitcode=1
```
#### `Checkov Scan` Success
Show Output
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-29 16:21:31,364 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 16:21:31,364 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2024-10-29 16:21:31,394 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices
2024-10-29 16:21:31,394 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges
terraform scan results:
Passed checks: 241, Failed checks: 0, Skipped checks: 24
checkov_exitcode=0
```
#### `CTFLint Scan` Failed
Show Output
```hcl
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared
Excluding the following checks: terraform_unused_declarations
7 issue(s) found:
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10:
10: "${module.s3_bucket_oracledb_backups.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 74:
74: "${module.s3_bucket_oracledb_backups.bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 87:
87: "${aws_s3_bucket.s3_bucket_oracledb_backups_inventory.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 126:
126: "${module.s3_bucket_oracle_statistics[0].bucket.arn}",
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 255:
255: values = ["${var.account_info.id}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 267:
267: values = ["${module.s3_bucket_oracledb_backups.bucket.arn}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)
on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 350:
350: resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"]
Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md
tflint_exitcode=2
```
#### `Trivy Scan` Failed
Show Output
```hcl
*****************************
Trivy will check the following folders:
terraform/environments/delius-core/modules/components/oracle_db_shared
*****************************
Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared
2024-10-29T16:21:24Z INFO [vulndb] Need to update DB
2024-10-29T16:21:24Z INFO [vulndb] Downloading vulnerability DB...
2024-10-29T16:21:24Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:21:27Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-10-29T16:21:27Z INFO [vuln] Vulnerability scanning is enabled
2024-10-29T16:21:27Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-29T16:21:27Z INFO [misconfig] Need to update the built-in checks
2024-10-29T16:21:27Z INFO [misconfig] Downloading the built-in checks...
2024-10-29T16:21:27Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 869.78µs, allowed: 44000/minute"
2024-10-29T16:21:27Z INFO [secret] Secret scanning is enabled
2024-10-29T16:21:27Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-29T16:21:27Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-29T16:21:27Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-29T16:21:27Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags"
2024-10-29T16:21:27Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal"
2024-10-29T16:21:28Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal"
2024-10-29T16:21:28Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16"
2024-10-29T16:21:28Z INFO Number of language-specific files num=0
2024-10-29T16:21:28Z INFO Detected config files num=6
s3.tf (terraform)
=================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
s3.tf:212-220
────────────────────────────────────────
212 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" {
213 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id
214 │ rule {
215 │ apply_server_side_encryption_by_default {
216 │ kms_master_key_id = var.account_config.kms_keys.general_shared
217 │ sse_algorithm = "aws:kms"
218 │ }
219 │ }
220 └ }
────────────────────────────────────────
trivy_exitcode=1
```
Trivy Scan
FailedShow Output
```hcl ***************************** Trivy will check the following folders: terraform/environments/delius-core/modules/components/oracle_db_shared ***************************** Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared 2024-10-29T16:10:57Z INFO [vulndb] Need to update DB 2024-10-29T16:10:57Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T16:10:57Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T16:10:59Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T16:10:59Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T16:10:59Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T16:10:59Z INFO [misconfig] Need to update the built-in checks 2024-10-29T16:10:59Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T16:10:59Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 179.29µs, allowed: 44000/minute" 2024-10-29T16:10:59Z INFO [secret] Secret scanning is enabled 2024-10-29T16:10:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T16:10:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T16:11:00Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T16:11:00Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags" 2024-10-29T16:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16" 2024-10-29T16:11:01Z INFO Number of language-specific files num=0 2024-10-29T16:11:01Z INFO Detected config files num=6 s3.tf (terraform) ================= Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── s3.tf:212-220 ──────────────────────────────────────── 212 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" { 213 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id 214 │ rule { 215 │ apply_server_side_encryption_by_default { 216 │ kms_master_key_id = var.account_config.kms_keys.general_shared 217 │ sse_algorithm = "aws:kms" 218 │ } 219 │ } 220 └ } ──────────────────────────────────────── trivy_exitcode=1 ```Show Output
```hcl ***************************** Checkov will check the following folders: terraform/environments/delius-core/modules/components/oracle_db_shared ***************************** Running Checkov in terraform/environments/delius-core/modules/components/oracle_db_shared Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-29 16:11:04,251 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required) 2024-10-29 16:11:04,251 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required) 2024-10-29 16:11:04,276 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-29 16:11:04,284 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 241, Failed checks: 0, Skipped checks: 24 checkov_exitcode=0 ```Show Output
```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/delius-core/modules/components/oracle_db_shared ***************************** Running tflint in terraform/environments/delius-core/modules/components/oracle_db_shared Excluding the following checks: terraform_unused_declarations 7 issue(s) found: Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 10: 10: "${module.s3_bucket_oracledb_backups.bucket.arn}", Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 74: 74: "${module.s3_bucket_oracledb_backups.bucket.arn}", Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 87: 87: "${aws_s3_bucket.s3_bucket_oracledb_backups_inventory.arn}", Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 126: 126: "${module.s3_bucket_oracle_statistics[0].bucket.arn}", Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 255: 255: values = ["${var.account_info.id}"] Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 267: 267: values = ["${module.s3_bucket_oracledb_backups.bucket.arn}"] Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation) on terraform/environments/delius-core/modules/components/oracle_db_shared/s3.tf line 331: 331: resources = ["${module.s3_bucket_oracle_statistics[0].bucket.arn}"] Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md tflint_exitcode=2 ```Show Output
```hcl ***************************** Trivy will check the following folders: terraform/environments/delius-core/modules/components/oracle_db_shared ***************************** Running Trivy in terraform/environments/delius-core/modules/components/oracle_db_shared 2024-10-29T16:10:57Z INFO [vulndb] Need to update DB 2024-10-29T16:10:57Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T16:10:57Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T16:10:59Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T16:10:59Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T16:10:59Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T16:10:59Z INFO [misconfig] Need to update the built-in checks 2024-10-29T16:10:59Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T16:10:59Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 179.29µs, allowed: 44000/minute" 2024-10-29T16:10:59Z INFO [secret] Secret scanning is enabled 2024-10-29T16:10:59Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T16:10:59Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T16:11:00Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T16:11:00Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="account_config, account_info, bastion_sg_id, env_name, environment_config, platform_vars, public_keys, tags" 2024-10-29T16:11:00Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_s3_object.user_public_keys" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracledb_backups.dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_ssh_keys.dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_expiration" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.noncurrent_version_transition" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.principals" value="cty.NilVal" 2024-10-29T16:11:01Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.s3_bucket_oracle_statistics[0].dynamic.condition" value="cty.NilVal" 2024-10-29T16:11:01Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="sg.tf:16" 2024-10-29T16:11:01Z INFO Number of language-specific files num=0 2024-10-29T16:11:01Z INFO Detected config files num=6 s3.tf (terraform) ================= Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys. See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── s3.tf:212-220 ──────────────────────────────────────── 212 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "oracledb_backups_inventory" { 213 │ bucket = aws_s3_bucket.s3_bucket_oracledb_backups_inventory.id 214 │ rule { 215 │ apply_server_side_encryption_by_default { 216 │ kms_master_key_id = var.account_config.kms_keys.general_shared 217 │ sse_algorithm = "aws:kms" 218 │ } 219 │ } 220 └ } ──────────────────────────────────────── trivy_exitcode=1 ```