ministryofjustice / modernisation-platform-environments

Modernisation platform environments โ€ข This repository is defined and managed in Terraform
MIT License
35 stars 20 forks source link

๐Ÿงช Debugging MoJO #8496

Open jacobwoffenden opened 10 hours ago

jacobwoffenden commented 10 hours ago

This pull request:

Signed-off-by: Jacob Woffenden jacob.woffenden@justice.gov.uk

modernisation-platform-ci commented 10 hours ago

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs

github-actions[bot] commented 10 hours ago

Trivy Scan Failed

Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/analytical-platform-ingestion ***************************** Running Trivy in terraform/environments/analytical-platform-ingestion 2024-10-29T16:38:27Z INFO [vulndb] Need to update DB 2024-10-29T16:38:27Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T16:38:27Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T16:38:30Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T16:38:30Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T16:38:30Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T16:38:30Z INFO [misconfig] Need to update the built-in checks 2024-10-29T16:38:30Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T16:38:30Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 928.074ยตs, allowed: 44000/minute" 2024-10-29T16:38:30Z INFO [secret] Secret scanning is enabled 2024-10-29T16:38:30Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T16:38:30Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T16:38:31Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T16:38:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal" 2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal" 2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal" 2024-10-29T16:38:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal" 2024-10-29T16:38:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198" 2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533" 2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534" 2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198" 2024-10-29T16:38:38Z INFO Number of language-specific files num=0 2024-10-29T16:38:38Z INFO Detected config files num=14 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform) =============================================================================================================================== Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Load balancer is exposed publicly. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47 via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0]) via network-load-balancers.tf:1-37 (module.datasync_activation_nlb) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 12 resource "aws_lb" "this" { .. 47 [ internal = var.internal .. 81 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform) =============================================================================================================================== Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0) Failures: 4 (HIGH: 0, CRITICAL: 4) CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340 via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0]) via vpc.tf:1-19 (module.connected_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 328 resource "aws_network_acl_rule" "private_outbound" { ... 340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"] ... 343 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323 via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0]) via vpc.tf:1-19 (module.connected_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 311 resource "aws_network_acl_rule" "private_inbound" { ... 323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"] ... 326 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221 via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0]) via vpc.tf:1-19 (module.connected_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 209 resource "aws_network_acl_rule" "public_outbound" { ... 221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"] ... 224 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204 via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0]) via vpc.tf:1-19 (module.connected_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 192 resource "aws_network_acl_rule" "public_inbound" { ... 204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"] ... 207 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf (terraform) ================================================= Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0) Failures: 4 (HIGH: 0, CRITICAL: 4) CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf:340 via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0]) via vpc.tf:21-42 (module.isolated_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 328 resource "aws_network_acl_rule" "private_outbound" { ... 340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"] ... 343 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf:323 via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0]) via vpc.tf:21-42 (module.isolated_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 311 resource "aws_network_acl_rule" "private_inbound" { ... 323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"] ... 326 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf:221 via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0]) via vpc.tf:21-42 (module.isolated_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 209 resource "aws_network_acl_rule" "public_outbound" { ... 221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"] ... 224 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf:204 via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0]) via vpc.tf:21-42 (module.isolated_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 192 resource "aws_network_acl_rule" "public_inbound" { ... 204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"] ... 207 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ trivy_exitcode=1 ```
#### `Checkov Scan` Failed
Show Output ```hcl ***************************** Checkov will check the following folders: terraform/environments/analytical-platform-ingestion ***************************** Running Checkov in terraform/environments/analytical-platform-ingestion Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 2024-10-29 16:38:41,294 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:5.6.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,294 [MainThread ] [WARNI] Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,294 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/kms/aws:3.1.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,294 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/route53/aws//modules/resolver-rule-associations:4.1.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,295 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/secrets-manager/aws:1.3.1 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,295 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/sns/aws:6.1.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,295 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.13.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,295 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/route53/aws//modules/resolver-endpoints:4.1.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,295 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/lambda/aws:7.9.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,295 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/vpc/aws:5.13.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,296 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.1 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,296 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/s3-bucket/aws:4.1.2 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,296 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/security-group/aws:5.2.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,296 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/alb/aws:9.11.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,296 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/s3-bucket/aws//modules/notification:4.1.2 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,296 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.1 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,297 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/ec2-instance/aws:5.7.0 (for external modules, the --download-external-modules flag is required) 2024-10-29 16:38:41,309 [MainThread ] [WARNI] [ArmLocalGraph] created 0 vertices 2024-10-29 16:38:41,314 [MainThread ] [WARNI] [ArmLocalGraph] created 0 edges terraform scan results: Passed checks: 167, Failed checks: 2, Skipped checks: 65 Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash" FAILED for resource: connected_vpc_route53_resolver_associations File: /route53-resolver-associations.tf:1-13 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision 1 | module "connected_vpc_route53_resolver_associations" { 2 | 3 | source = "terraform-aws-modules/route53/aws//modules/resolver-rule-associations" 4 | version = "4.1.0" 5 | 6 | vpc_id = module.connected_vpc.vpc_id 7 | 8 | resolver_rule_associations = { 9 | mojo-dns-resolver-dom1-infra-int = { 10 | resolver_rule_id = aws_route53_resolver_rule.mojo_dns_resolver_dom1_infra_int.id 11 | } 12 | } 13 | } Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash" FAILED for resource: connected_vpc_outbound_route53_resolver_endpoint File: /route53-resolver-endpoints.tf:1-27 Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision 1 | module "connected_vpc_outbound_route53_resolver_endpoint" { 2 | source = "terraform-aws-modules/route53/aws//modules/resolver-endpoints" 3 | version = "4.1.0" 4 | 5 | name = "connected-vpc-outbound" 6 | vpc_id = module.connected_vpc.vpc_id 7 | direction = "OUTBOUND" 8 | protocols = ["Do53"] 9 | 10 | ip_address = [ 11 | { 12 | subnet_id = module.connected_vpc.private_subnets[0] 13 | }, 14 | { 15 | subnet_id = module.connected_vpc.private_subnets[1] 16 | } 17 | ] 18 | 19 | security_group_ingress_cidr_blocks = [module.connected_vpc.vpc_cidr_block] 20 | security_group_egress_cidr_blocks = [ 21 | /* MoJO DNS Resolver Service */ 22 | "10.180.80.5/32", 23 | "10.180.81.5/32" 24 | ] 25 | 26 | tags = local.tags 27 | } checkov_exitcode=1 ```
#### `CTFLint Scan` Success
Show Output ```hcl ***************************** Setting default tflint config... Running tflint --init... Installing "terraform" plugin... Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1) tflint will check the following folders: terraform/environments/analytical-platform-ingestion ***************************** Running tflint in terraform/environments/analytical-platform-ingestion Excluding the following checks: terraform_unused_declarations tflint_exitcode=0 ```
#### `Trivy Scan` Failed
Show Output ```hcl ***************************** Trivy will check the following folders: terraform/environments/analytical-platform-ingestion ***************************** Running Trivy in terraform/environments/analytical-platform-ingestion 2024-10-29T16:38:27Z INFO [vulndb] Need to update DB 2024-10-29T16:38:27Z INFO [vulndb] Downloading vulnerability DB... 2024-10-29T16:38:27Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T16:38:30Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2" 2024-10-29T16:38:30Z INFO [vuln] Vulnerability scanning is enabled 2024-10-29T16:38:30Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-29T16:38:30Z INFO [misconfig] Need to update the built-in checks 2024-10-29T16:38:30Z INFO [misconfig] Downloading the built-in checks... 2024-10-29T16:38:30Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-checks/blobs/sha256:16957b935ef82529bc26f3ceeeb60d798c90ef142d25e3715ab4478b204ed1bb: TOOMANYREQUESTS: retry-after: 928.074ยตs, allowed: 44000/minute" 2024-10-29T16:38:30Z INFO [secret] Secret scanning is enabled 2024-10-29T16:38:30Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-29T16:38:30Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection 2024-10-29T16:38:31Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-29T16:38:31Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.connected_vpc_transit_gateway_routes" value="cty.NilVal" 2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users" value="cty.NilVal" 2024-10-29T16:38:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.sftp_users_with_egress" value="cty.NilVal" 2024-10-29T16:38:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal" 2024-10-29T16:38:36Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.bold_egress_bucket.dynamic.rule" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definitions_bucket.dynamic.rule" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.vpc_config" value="cty.NilVal" 2024-10-29T16:38:37Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.definition_upload_lambda.dynamic.logging_config" value="cty.NilVal" 2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198" 2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:533" 2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-ec2-no-public-egress-sgr" range="terraform-aws-modules/security-group/aws/main.tf:534" 2024-10-29T16:38:38Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-bucket-encryption" range="git::https:/github.com/terraform-aws-modules/terraform-aws-s3-bucket?ref=8a0b697adfbc673e6135c70246cff7f8052ad95a/main.tf:176-198" 2024-10-29T16:38:38Z INFO Number of language-specific files num=0 2024-10-29T16:38:38Z INFO Detected config files num=14 git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf (terraform) =============================================================================================================================== Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0) HIGH: Load balancer is exposed publicly. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• There are many scenarios in which you would want to expose a load balancer to the wider internet, but this check exists as a warning to prevent accidental exposure of internal assets. You should ensure that this resource should be exposed publicly. See https://avd.aquasec.com/misconfig/avd-aws-0053 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:47 via git::https:/github.com/terraform-aws-modules/terraform-aws-alb?ref=349540d1a611cd98a6383cc64ef0d9bf08d88fb7/main.tf:12-81 (aws_lb.this[0]) via network-load-balancers.tf:1-37 (module.datasync_activation_nlb) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 12 resource "aws_lb" "this" { .. 47 [ internal = var.internal .. 81 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf (terraform) =============================================================================================================================== Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0) Failures: 4 (HIGH: 0, CRITICAL: 4) CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:340 via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:328-343 (aws_network_acl_rule.private_outbound[0]) via vpc.tf:1-19 (module.connected_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 328 resource "aws_network_acl_rule" "private_outbound" { ... 340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"] ... 343 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:323 via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:311-326 (aws_network_acl_rule.private_inbound[0]) via vpc.tf:1-19 (module.connected_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 311 resource "aws_network_acl_rule" "private_inbound" { ... 323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"] ... 326 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:221 via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:209-224 (aws_network_acl_rule.public_outbound[0]) via vpc.tf:1-19 (module.connected_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 209 resource "aws_network_acl_rule" "public_outbound" { ... 221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"] ... 224 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:204 via git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=e226cc15a7b8f62fd0e108792fea66fa85bcb4b9/main.tf:192-207 (aws_network_acl_rule.public_inbound[0]) via vpc.tf:1-19 (module.connected_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 192 resource "aws_network_acl_rule" "public_inbound" { ... 204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"] ... 207 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf (terraform) ================================================= Tests: 4 (SUCCESSES: 0, FAILURES: 4, EXCEPTIONS: 0) Failures: 4 (HIGH: 0, CRITICAL: 4) CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf:340 via terraform-aws-modules/vpc/aws/main.tf:328-343 (aws_network_acl_rule.private_outbound[0]) via vpc.tf:21-42 (module.isolated_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 328 resource "aws_network_acl_rule" "private_outbound" { ... 340 [ protocol = var.private_outbound_acl_rules[count.index]["protocol"] ... 343 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf:323 via terraform-aws-modules/vpc/aws/main.tf:311-326 (aws_network_acl_rule.private_inbound[0]) via vpc.tf:21-42 (module.isolated_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 311 resource "aws_network_acl_rule" "private_inbound" { ... 323 [ protocol = var.private_inbound_acl_rules[count.index]["protocol"] ... 326 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf:221 via terraform-aws-modules/vpc/aws/main.tf:209-224 (aws_network_acl_rule.public_outbound[0]) via vpc.tf:21-42 (module.isolated_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 209 resource "aws_network_acl_rule" "public_outbound" { ... 221 [ protocol = var.public_outbound_acl_rules[count.index]["protocol"] ... 224 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ CRITICAL: Network ACL rule allows access using ALL ports. โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ• Ensure access to specific required ports is allowed, and nothing else. See https://avd.aquasec.com/misconfig/avd-aws-0102 โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ terraform-aws-modules/vpc/aws/main.tf:204 via terraform-aws-modules/vpc/aws/main.tf:192-207 (aws_network_acl_rule.public_inbound[0]) via vpc.tf:21-42 (module.isolated_vpc) โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ 192 resource "aws_network_acl_rule" "public_inbound" { ... 204 [ protocol = var.public_inbound_acl_rules[count.index]["protocol"] ... 207 } โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€ trivy_exitcode=1 ```
modernisation-platform-ci commented 10 hours ago

@jacobwoffenden Terraform plan evaluation detected changes to resources that require approval from a member of @ministryofjustice/modernisation-platform - please contact #ask-modernisation-platform for assistance

Guidance on approving these PRs is available at https://user-guide.modernisation-platform.service.justice.gov.uk/runbooks/reviewing-mp-environments-prs.html#process-for-approving-prs