Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump terraform-aws-modules/kms/aws from 2.2.0 to 3.0.0 in /terraform/environments/data-platform-apps-and-tools #6044

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Bump terraform-aws-modules/kms/aws from 2.2.0 to 3.0.0 in /terraform/environments/data-platform-apps-and-tools #6044

wants to merge 1 commit into from
+6 −6

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 13, 2024
edited

Bumps terraform-aws-modules/kms/aws from 2.2.0 to 3.0.0.

Release notes

Sourced from terraform-aws-modules/kms/aws's releases.

v3.0.0

3.0.0 (2024-05-11)

⚠ BREAKING CHANGES

  • Support rotation_period_in_days, AWS Provider v5, Terraform MSV 1.3 (#32)

Features

  • Support rotation_period_in_days, AWS Provider v5, Terraform MSV 1.3 (#32) (f8c96ce)

v2.2.1

2.2.1 (2024-03-06)

Bug Fixes

  • Update CI workflow versions to remove deprecated runtime warnings (#28) (866950f)
Changelog

Sourced from terraform-aws-modules/kms/aws's changelog.

3.0.0 (2024-05-11)

⚠ BREAKING CHANGES

  • Support rotation_period_in_days, AWS Provider v5, Terraform MSV 1.3 (#32)

Features

  • Support rotation_period_in_days, AWS Provider v5, Terraform MSV 1.3 (#32) (f8c96ce)

2.2.1 (2024-03-06)

Bug Fixes

  • Update CI workflow versions to remove deprecated runtime warnings (#28) (866950f)
Commits
  • 8478d2d chore(release): version 3.0.0 [skip ci]
  • f8c96ce feat!: Support rotation_period_in_days, AWS Provider v5, Terraform MSV 1.3 ...
  • 22226b6 chore(release): version 2.2.1 [skip ci]
  • 866950f fix: Update CI workflow versions to remove deprecated runtime warnings (#28)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot requested a review from a team as a code owner May 13, 2024 00:26
@dependabot dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels May 13, 2024
@dependabot dependabot bot mentioned this pull request May 13, 2024
Closed
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label May 13, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/data-platform-apps-and-tools terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams

Running Trivy in terraform/environments/data-platform-apps-and-tools
2024-05-13T00:29:03Z INFO Need to update DB
2024-05-13T00:29:03Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-13T00:29:05Z INFO Vulnerability scanning is enabled
2024-05-13T00:29:05Z INFO Misconfiguration scanning is enabled
2024-05-13T00:29:05Z INFO Need to update the built-in policies
2024-05-13T00:29:05Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-13T00:29:05Z INFO Secret scanning is enabled
2024-05-13T00:29:05Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-13T00:29:05Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-13T00:29:25Z INFO Number of language-specific files num=1
2024-05-13T00:29:25Z INFO [pip] Detecting vulnerabilities...
2024-05-13T00:29:25Z INFO Detected config files num=23

data.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

eks-iam-policies.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=2cb1fac31b0fc2dd6a236b0c0678df75819c5a3b/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

Tests: 25 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 25)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
via s3.tf:5-15 (module.airflow_s3_bucket)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

mwaa-iam-policies.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

powerbi-gateway-iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

powerbi-gateway-security-group.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:26
via powerbi-gateway-security-group.tf:22-27 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:19
via powerbi-gateway-security-group.tf:15-20 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:12
via powerbi-gateway-security-group.tf:8-13 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams
2024-05-13T00:29:25Z INFO Vulnerability scanning is enabled
2024-05-13T00:29:25Z INFO Misconfiguration scanning is enabled
2024-05-13T00:29:25Z INFO Secret scanning is enabled
2024-05-13T00:29:25Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-13T00:29:25Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-13T00:29:26Z INFO Number of language-specific files num=0
2024-05-13T00:29:26Z INFO Detected config files num=3
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-13 00:29:29,013 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 3.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,014 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,014 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,014 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,014 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,014 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,014 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,015 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,015 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,015 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,015 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,015 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,015 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,015 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,015 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,016 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-05-13 00:29:29,016 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 147, Failed checks: 20, Skipped checks: 44

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-13 00:29:32,763 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 14, Failed checks: 0, Skipped checks: 1


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams/data.tf line 6:
   6: data "aws_cloudwatch_event_source" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=4

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/data-platform-apps-and-tools terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams

*****************************

Running Trivy in terraform/environments/data-platform-apps-and-tools
2024-05-13T00:29:03Z	INFO	Need to update DB
2024-05-13T00:29:03Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-13T00:29:05Z	INFO	Vulnerability scanning is enabled
2024-05-13T00:29:05Z	INFO	Misconfiguration scanning is enabled
2024-05-13T00:29:05Z	INFO	Need to update the built-in policies
2024-05-13T00:29:05Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-13T00:29:05Z	INFO	Secret scanning is enabled
2024-05-13T00:29:05Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-13T00:29:05Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-13T00:29:25Z	INFO	Number of language-specific files	num=1
2024-05-13T00:29:25Z	INFO	[pip] Detecting vulnerabilities...
2024-05-13T00:29:25Z	INFO	Detected config files	num=23

data.tf (terraform)
===================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


eks-iam-policies.tf (terraform)
===============================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=2cb1fac31b0fc2dd6a236b0c0678df75819c5a3b/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)
=============================================================================================================================================================================
Tests: 25 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 25)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)
======================================================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
   via s3.tf:5-15 (module.airflow_s3_bucket)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



mwaa-iam-policies.tf (terraform)
================================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


powerbi-gateway-iam.tf (terraform)
==================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


powerbi-gateway-security-group.tf (terraform)
=============================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:26
   via powerbi-gateway-security-group.tf:22-27 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  26 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:19
   via powerbi-gateway-security-group.tf:15-20 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  19 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:12
   via powerbi-gateway-security-group.tf:8-13 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  12 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams
2024-05-13T00:29:25Z	INFO	Vulnerability scanning is enabled
2024-05-13T00:29:25Z	INFO	Misconfiguration scanning is enabled
2024-05-13T00:29:25Z	INFO	Secret scanning is enabled
2024-05-13T00:29:25Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-13T00:29:25Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-13T00:29:26Z	INFO	Number of language-specific files	num=0
2024-05-13T00:29:26Z	INFO	Detected config files	num=3
trivy_exitcode=1

@dependabot
Bump terraform-aws-modules/kms/aws
f246e3d 
Bumps [terraform-aws-modules/kms/aws](https://github.com/terraform-aws-modules/terraform-aws-kms) from 2.2.0 to 3.0.0.
- [Release notes](https://github.com/terraform-aws-modules/terraform-aws-kms/releases)
- [Changelog](https://github.com/terraform-aws-modules/terraform-aws-kms/blob/master/CHANGELOG.md)
- [Commits](terraform-aws-modules/terraform-aws-kms@v2.2.0...v3.0.0)

---
updated-dependencies:
- dependency-name: terraform-aws-modules/kms/aws
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/terraform/terraform/environments/data-platform-apps-and-tools/terraform-aws-modules/kms/aws-3.0.0 branch from c5b3752 to f246e3d Compare May 17, 2024 12:27
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/data-platform-apps-and-tools terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams

Running Trivy in terraform/environments/data-platform-apps-and-tools
2024-05-17T12:29:57Z INFO Need to update DB
2024-05-17T12:29:57Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-17T12:29:59Z INFO Vulnerability scanning is enabled
2024-05-17T12:29:59Z INFO Misconfiguration scanning is enabled
2024-05-17T12:29:59Z INFO Need to update the built-in policies
2024-05-17T12:29:59Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-17T12:29:59Z INFO Secret scanning is enabled
2024-05-17T12:29:59Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-17T12:29:59Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-17T12:30:18Z INFO Number of language-specific files num=1
2024-05-17T12:30:18Z INFO [pip] Detecting vulnerabilities...
2024-05-17T12:30:18Z INFO Detected config files num=23

data.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

eks-iam-policies.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=2cb1fac31b0fc2dd6a236b0c0678df75819c5a3b/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

Tests: 25 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 25)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)

Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
via s3.tf:5-15 (module.airflow_s3_bucket)
────────────────────────────────────────
171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
172 │ bucket = aws_s3_bucket.default.id
173 │ rule {
174 │ apply_server_side_encryption_by_default {
175 │ sse_algorithm = var.sse_algorithm
176 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
177 │ }
178 │ }
179 └ }
────────────────────────────────────────

mwaa-iam-policies.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

powerbi-gateway-iam.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

powerbi-gateway-security-group.tf (terraform)

Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:26
via powerbi-gateway-security-group.tf:22-27 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
26 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:19
via powerbi-gateway-security-group.tf:15-20 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
19 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
powerbi-gateway-security-group.tf:12
via powerbi-gateway-security-group.tf:8-13 (egress)
via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
2 resource "aws_security_group" "powerbi_gateway" {
.
12 [ cidr_blocks = ["0.0.0.0/0"]
..
30 }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams
2024-05-17T12:30:19Z INFO Vulnerability scanning is enabled
2024-05-17T12:30:19Z INFO Misconfiguration scanning is enabled
2024-05-17T12:30:19Z INFO Secret scanning is enabled
2024-05-17T12:30:19Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-17T12:30:19Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-17T12:30:20Z INFO Number of language-specific files num=0
2024-05-17T12:30:20Z INFO Detected config files num=3
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/data-platform-apps-and-tools terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-17 12:30:22,778 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,778 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,779 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/efs/aws:~> 1.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,779 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/ec2-instance/aws:None (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,779 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,779 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,779 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,780 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-user:~> 5 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,780 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,780 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:~> 3.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,780 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:19.21.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,780 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,780 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:~> 6.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,780 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/cloudwatch/aws//modules/log-group:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,780 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,781 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-17 12:30:22,781 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 149, Failed checks: 62, Skipped checks: 44

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_opensearch_cloudwatch_log_group
	File: /cloudwatch-log-groups.tf:1-10

		1  | module "openmetadata_opensearch_cloudwatch_log_group" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  |   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
		4  |   version = "~> 5.0"
		5  | 
		6  |   name              = "/aws/opensearch/openmetadata"
		7  |   retention_in_days = 400
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_efs
	File: /efs.tf:1-64

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: eks
	File: /eks-cluster.tf:4-103

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_airflow_iam_policy
	File: /eks-iam-policies.tf:10-18

		10 | module "openmetadata_airflow_iam_policy" {
		11 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		12 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		13 |   version = "~> 5.0"
		14 | 
		15 |   name_prefix = "openmetadata-airflow"
		16 | 
		17 |   policy = data.aws_iam_policy_document.openmetadata_airflow.json
		18 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: prometheus_iam_policy
	File: /eks-iam-policies.tf:29-37

		29 | module "prometheus_iam_policy" {
		30 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		31 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		32 |   version = "~> 5.0"
		33 | 
		34 |   name_prefix = "prometheus"
		35 | 
		36 |   policy = data.aws_iam_policy_document.prometheus.json
		37 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: data_platform_eks_access_iam_policy
	File: /eks-iam-policies.tf:48-56

		48 | module "data_platform_eks_access_iam_policy" {
		49 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		50 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		51 |   version = "~> 5.0"
		52 | 
		53 |   name_prefix = "data-platform-eks-access"
		54 | 
		55 |   policy = data.aws_iam_policy_document.data_platform_eks_access.json
		56 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: cluster_autoscaler_role
	File: /eks-iam-roles.tf:1-19

		1  | module "cluster_autoscaler_role" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		5  |   version = "~> 5.0"
		6  | 
		7  |   role_name_prefix                 = "cluster-autoscaler"
		8  |   attach_cluster_autoscaler_policy = true
		9  |   cluster_autoscaler_cluster_names = [module.eks.cluster_name]
		10 | 
		11 |   oidc_providers = {
		12 |     main = {
		13 |       provider_arn               = module.eks.oidc_provider_arn
		14 |       namespace_service_accounts = ["kube-system:cluster-autoscaler"]
		15 |     }
		16 |   }
		17 | 
		18 |   tags = local.tags
		19 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: external_dns_role
	File: /eks-iam-roles.tf:21-39

		21 | module "external_dns_role" {
		22 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		23 | 
		24 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		25 |   version = "~> 5.0"
		26 | 
		27 |   role_name_prefix              = "external-dns"
		28 |   attach_external_dns_policy    = true
		29 |   external_dns_hosted_zone_arns = [data.aws_route53_zone.apps_tools.arn]
		30 | 
		31 |   oidc_providers = {
		32 |     main = {
		33 |       provider_arn               = module.eks.oidc_provider_arn
		34 |       namespace_service_accounts = ["${kubernetes_namespace.external_dns.metadata[0].name}:external-dns"]
		35 |     }
		36 |   }
		37 | 
		38 |   tags = local.tags
		39 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: cert_manager_role
	File: /eks-iam-roles.tf:41-59

		41 | module "cert_manager_role" {
		42 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		43 | 
		44 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		45 |   version = "~> 5.0"
		46 | 
		47 |   role_name_prefix              = "cert-manager"
		48 |   attach_cert_manager_policy    = true
		49 |   cert_manager_hosted_zone_arns = [data.aws_route53_zone.apps_tools.arn]
		50 | 
		51 |   oidc_providers = {
		52 |     main = {
		53 |       provider_arn               = module.eks.oidc_provider_arn
		54 |       namespace_service_accounts = ["${kubernetes_namespace.cert_manager.metadata[0].name}:cert-manager"]
		55 |     }
		56 |   }
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: ebs_csi_driver_role
	File: /eks-iam-roles.tf:61-78

		61 | module "ebs_csi_driver_role" {
		62 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		63 | 
		64 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		65 |   version = "~> 5.0"
		66 | 
		67 |   role_name_prefix      = "ebs-csi-driver"
		68 |   attach_ebs_csi_policy = true
		69 | 
		70 |   oidc_providers = {
		71 |     main = {
		72 |       provider_arn               = module.eks.oidc_provider_arn
		73 |       namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
		74 |     }
		75 |   }
		76 | 
		77 |   tags = local.tags
		78 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: efs_csi_driver_role
	File: /eks-iam-roles.tf:80-97

		80 | module "efs_csi_driver_role" {
		81 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		82 | 
		83 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		84 |   version = "~> 5.0"
		85 | 
		86 |   role_name_prefix      = "efs-csi-driver"
		87 |   attach_efs_csi_policy = true
		88 | 
		89 |   oidc_providers = {
		90 |     main = {
		91 |       provider_arn               = module.eks.oidc_provider_arn
		92 |       namespace_service_accounts = ["kube-system:efs-csi-controller-sa"]
		93 |     }
		94 |   }
		95 | 
		96 |   tags = local.tags
		97 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: velero_role
	File: /eks-iam-roles.tf:99-117

		99  | module "velero_role" {
		100 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		101 | 
		102 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		103 |   version = "~> 5.0"
		104 | 
		105 |   role_name_prefix      = "velero"
		106 |   attach_velero_policy  = true
		107 |   velero_s3_bucket_arns = [module.velero_s3_bucket.bucket.arn]
		108 | 
		109 |   oidc_providers = {
		110 |     main = {
		111 |       provider_arn               = module.eks.oidc_provider_arn
		112 |       namespace_service_accounts = ["${kubernetes_namespace.velero_system.metadata[0].name}:velero-server"]
		113 |     }
		114 |   }
		115 | 
		116 |   tags = local.tags
		117 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: external_secrets_role
	File: /eks-iam-roles.tf:119-139

		119 | module "external_secrets_role" {
		120 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		121 | 
		122 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		123 |   version = "~> 5.0"
		124 | 
		125 |   role_name_prefix               = "external-secrets"
		126 |   attach_external_secrets_policy = true
		127 | 
		128 |   // TODO: define SecretsManager path for cluster consumed secrets
		129 |   // external_secrets_secrets_manager_arns = []
		130 | 
		131 |   oidc_providers = {
		132 |     main = {
		133 |       provider_arn               = module.eks.oidc_provider_arn
		134 |       namespace_service_accounts = ["${kubernetes_namespace.external_secrets.metadata[0].name}:external-secrets"]
		135 |     }
		136 |   }
		137 | 
		138 |   tags = local.tags
		139 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_airflow_iam_role
	File: /eks-iam-roles.tf:141-159

		141 | module "openmetadata_airflow_iam_role" {
		142 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		143 | 
		144 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		145 |   version = "~> 5.0"
		146 | 
		147 |   role_name_prefix = "openmetadata-airflow"
		148 | 
		149 |   role_policy_arns = {
		150 |     openmetadata-airflow = module.openmetadata_airflow_iam_policy.arn
		151 |   }
		152 | 
		153 |   oidc_providers = {
		154 |     main = {
		155 |       provider_arn               = module.eks.oidc_provider_arn
		156 |       namespace_service_accounts = ["${kubernetes_namespace.openmetadata.metadata[0].name}:airflow"]
		157 |     }
		158 |   }
		159 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_iam_role
	File: /eks-iam-roles.tf:161-175

		161 | module "openmetadata_iam_role" {
		162 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		163 | 
		164 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		165 |   version = "~> 5.0"
		166 | 
		167 |   role_name_prefix = "openmetadata"
		168 | 
		169 |   oidc_providers = {
		170 |     main = {
		171 |       provider_arn               = module.eks.oidc_provider_arn
		172 |       namespace_service_accounts = ["${kubernetes_namespace.openmetadata.metadata[0].name}:openmetadata"]
		173 |     }
		174 |   }
		175 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: prometheus_iam_role
	File: /eks-iam-roles.tf:177-195

		177 | module "prometheus_iam_role" {
		178 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		179 | 
		180 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		181 |   version = "~> 5.0"
		182 | 
		183 |   role_name_prefix = "prometheus"
		184 | 
		185 |   role_policy_arns = {
		186 |     amazon-managed-prometheus = module.prometheus_iam_policy.arn
		187 |   }
		188 | 
		189 |   oidc_providers = {
		190 |     main = {
		191 |       provider_arn               = module.eks.oidc_provider_arn
		192 |       namespace_service_accounts = ["${kubernetes_namespace.prometheus.metadata[0].name}:prometheus"]
		193 |     }
		194 |   }
		195 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: iam_assumable_role_admin
	File: /eks-iam-roles.tf:197-216

		197 | module "iam_assumable_role_admin" {
		198 |   # checkov:skip=CKV_TF_1:
		199 |   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
		200 |   version = "~> 5.0"
		201 | 
		202 |   trusted_role_arns = [
		203 |     "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/GlobalGitHubActionAccess",
		204 |     "arn:aws:iam::${local.environment_management.account_ids["analytical-platform-management-production"]}:role/aws-reserved/sso.amazonaws.com/eu-west-2/AWSReservedSSO_AdministratorAccess_75c6567ee233c758"
		205 |   ]
		206 | 
		207 |   create_role       = true
		208 |   role_name         = "data-platform-eks-access"
		209 |   role_requires_mfa = false
		210 | 
		211 |   custom_role_policy_arns = [
		212 |     module.data_platform_eks_access_iam_policy.arn
		213 |   ]
		214 | 
		215 |   tags = local.tags
		216 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: datahub_iam_role
	File: /iam.tf:8-24

		8  | module "datahub_iam_role" {
		9  |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		10 | 
		11 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		12 |   version = "~> 5.0"
		13 | 
		14 |   role_name_prefix = "datahub"
		15 |   role_policy_arns = {
		16 |     datahub-ingestion = aws_iam_policy.datahub.arn
		17 |   }
		18 |   oidc_providers = {
		19 |     main = {
		20 |       provider_arn               = data.aws_iam_openid_connect_provider.apps_and_tools.arn
		21 |       namespace_service_accounts = ["datahub:datahub-datahub-frontend"]
		22 |     }
		23 |   }
		24 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_efs_kms
	File: /kms-keys.tf:1-13

		1  | module "openmetadata_efs_kms" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  |   source  = "terraform-aws-modules/kms/aws"
		4  |   version = "~> 3.0"
		5  | 
		6  |   aliases               = ["efs/openmetadata"]
		7  |   description           = "Open Metadata EFS"
		8  |   enable_default_policy = true
		9  | 
		10 |   deletion_window_in_days = 7
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_airflow_rds_kms
	File: /kms-keys.tf:15-27

		15 | module "openmetadata_airflow_rds_kms" {
		16 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		17 |   source  = "terraform-aws-modules/kms/aws"
		18 |   version = "~> 3.0"
		19 | 
		20 |   aliases               = ["rds/openmetadata-airflow"]
		21 |   description           = "Open Metadata Airflow RDS"
		22 |   enable_default_policy = true
		23 | 
		24 |   deletion_window_in_days = 7
		25 | 
		26 |   tags = local.tags
		27 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_rds_kms
	File: /kms-keys.tf:29-41

		29 | module "openmetadata_rds_kms" {
		30 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		31 |   source  = "terraform-aws-modules/kms/aws"
		32 |   version = "~> 3.0"
		33 | 
		34 |   aliases               = ["rds/openmetadata"]
		35 |   description           = "Open Metadata RDS"
		36 |   enable_default_policy = true
		37 | 
		38 |   deletion_window_in_days = 7
		39 | 
		40 |   tags = local.tags
		41 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_opensearch_kms
	File: /kms-keys.tf:43-55

		43 | module "openmetadata_opensearch_kms" {
		44 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		45 |   source  = "terraform-aws-modules/kms/aws"
		46 |   version = "~> 3.0"
		47 | 
		48 |   aliases               = ["opensearch/openmetadata"]
		49 |   description           = "Open Metadata OpenSearch"
		50 |   enable_default_policy = true
		51 | 
		52 |   deletion_window_in_days = 7
		53 | 
		54 |   tags = local.tags
		55 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: datahub_rds_kms
	File: /kms.tf:1-13

		1  | module "datahub_rds_kms" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  |   source  = "terraform-aws-modules/kms/aws"
		4  |   version = "~> 3.0"
		5  | 
		6  |   aliases               = ["rds/datahub"]
		7  |   description           = "Datahub RDS"
		8  |   enable_default_policy = true
		9  | 
		10 |   deletion_window_in_days = 7
		11 | 
		12 |   tags = local.tags
		13 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: jml_extract_lambda
	File: /lambda-functions.tf:1-65

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.auth0_log_streams.kms_key
	File: /modules/auth0-log-streams/main.tf:1-57
	Calling File: /auth0-log-steams.tf:1-10

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: airflow_ses_policy
	File: /mwaa-iam-policies.tf:15-24

		15 | module "airflow_ses_policy" {
		16 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		17 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		18 |   version = "~> 5.0"
		19 | 
		20 |   name   = "${local.application_name}-${local.environment}-airflow-ses"
		21 |   policy = data.aws_iam_policy_document.airflow_ses_policy.json
		22 | 
		23 |   tags = local.tags
		24 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: airflow_execution_policy
	File: /mwaa-iam-policies.tf:117-126

		117 | module "airflow_execution_policy" {
		118 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		119 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		120 |   version = "~> 5.0"
		121 | 
		122 |   name   = "${local.application_name}-${local.environment}-airflow-execution"
		123 |   policy = data.aws_iam_policy_document.airflow_execution_policy.json
		124 | 
		125 |   tags = local.tags
		126 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: airflow_execution_role
	File: /mwaa-iam-roles.tf:1-20

		1  | module "airflow_execution_role" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
		5  |   version = "~> 5.0"
		6  | 
		7  |   create_role = true
		8  | 
		9  |   role_name         = local.environment_configuration.airflow_execution_role_name
		10 |   role_requires_mfa = false
		11 | 
		12 |   trusted_role_services = [
		13 |     "airflow.amazonaws.com",
		14 |     "airflow-env.amazonaws.com"
		15 |   ]
		16 | 
		17 |   custom_role_policy_arns = [module.airflow_execution_policy.arn]
		18 | 
		19 |   tags = local.tags
		20 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: airflow_iam_user
	File: /mwaa-iam-users.tf:1-10

		1  | module "airflow_iam_user" {
		2  |   # checkov:skip=CKV_TF_1:
		3  |   source  = "terraform-aws-modules/iam/aws//modules/iam-user"
		4  |   version = "~> 5"
		5  | 
		6  |   name                          = "${local.application_name}-${local.environment}-airflow"
		7  |   create_iam_user_login_profile = false
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: observability_platform_tenant
	File: /observability-platform.tf:1-9

		1 | module "observability_platform_tenant" {
		2 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3 | 
		4 |   source  = "ministryofjustice/observability-platform-tenant/aws"
		5 |   version = "1.0.1"
		6 | 
		7 |   observability_platform_account_id = local.environment_configuration.observability_platform_account_id
		8 |   enable_xray                       = true
		9 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: powerbi_gateway
	File: /powerbi-gateway-server.tf:14-59

		14 | module "powerbi_gateway" {
		15 |   source  = "terraform-aws-modules/ec2-instance/aws"
		16 |   version = "v5.6.0"
		17 | 
		18 |   name = local.environment_configuration.powerbi_gateway_ec2.instance_name
		19 |   # ami                         = data.aws_ami.windows_server_2022.id
		20 |   ami                         = "ami-00ffeb610527f540b" # Hardcoded AMI ID for Windows Server 2022
		21 |   instance_type               = local.environment_configuration.powerbi_gateway_ec2.instance_type
		22 |   key_name                    = aws_key_pair.powerbi_gateway_keypair.key_name
		23 |   monitoring                  = true
		24 |   create_iam_instance_profile = true
		25 |   iam_role_description        = "IAM role for PowerBI Gateway Instance"
		26 |   ignore_ami_changes          = false
		27 |   enable_volume_tags          = false
		28 |   associate_public_ip_address = false
		29 |   iam_role_policies = {
		30 |     SSMCore            = "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
		31 |     PowerBI_DataAccess = aws_iam_policy.powerbi_gateway_data_access.arn
		32 |   }
		33 |   root_block_device = [
		34 |     {
		35 |       encrypted   = true
		36 |       volume_type = "gp3"
		37 |       volume_size = 100
		38 |       tags = merge({
		39 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-root-volume"
		40 |       }, local.tags)
		41 |     },
		42 |   ]
		43 | 
		44 |   ebs_block_device = [
		45 |     {
		46 |       volume_type = "gp3"
		47 |       device_name = "/dev/sdf"
		48 |       volume_size = 300
		49 |       encrypted   = true
		50 |       tags = merge({
		51 |         Name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-data-volume"
		52 |       }, local.tags)
		53 |     }
		54 |   ]
		55 |   vpc_security_group_ids = [aws_security_group.powerbi_gateway.id]
		56 |   subnet_id              = data.aws_subnet.private_subnets_a.id
		57 | 
		58 |   tags = local.tags
		59 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_airflow_rds
	File: /rds.tf:1-66

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: openmetadata_rds
	File: /rds.tf:68-140

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: datahub_rds
	File: /rds.tf:142-209

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: airflow_s3_bucket
	File: /s3.tf:5-15
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "airflow_s3_bucket" {
		6  |   source = "github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0"
		7  | 
		8  |   providers = {
		9  |     aws.bucket-replication = aws
		10 |   }
		11 | 
		12 |   bucket_prefix = "moj-data-platform-airflow-${local.environment}"
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: guardduty_data_vpc_endpoint_security_group
	File: /security-groups.tf:1-15

		1  | module "guardduty_data_vpc_endpoint_security_group" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  |   source  = "terraform-aws-modules/security-group/aws"
		4  |   version = "~> 5.0"
		5  | 
		6  |   name        = "${local.application_name}-${local.environment}-guardduty-data-endpoint"
		7  |   description = "GuardDuty Data VPC Endpoint"
		8  | 
		9  |   vpc_id = module.vpc.vpc_id
		10 | 
		11 |   ingress_cidr_blocks = [module.vpc.vpc_cidr_block]
		12 |   ingress_rules       = ["https-443-tcp"]
		13 | 
		14 |   tags = local.tags
		15 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: smtp_vpc_endpoint_security_group
	File: /security-groups.tf:17-31

		17 | module "smtp_vpc_endpoint_security_group" {
		18 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		19 |   source  = "terraform-aws-modules/security-group/aws"
		20 |   version = "~> 5.0"
		21 | 
		22 |   name        = "${local.application_name}-${local.environment}-smtp-vpc-endpoint"
		23 |   description = "SMTP VPC Endpoint"
		24 | 
		25 |   vpc_id = module.vpc.vpc_id
		26 | 
		27 |   ingress_cidr_blocks = [module.vpc.vpc_cidr_block]
		28 |   ingress_rules       = ["smtp-submission-587-tcp"]
		29 | 
		30 |   tags = local.tags
		31 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: mwaa_security_group
	File: /security-groups.tf:35-53

		35 | module "mwaa_security_group" {
		36 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		37 |   source  = "terraform-aws-modules/security-group/aws"
		38 |   version = "~> 5.0"
		39 | 
		40 |   name   = "${local.application_name}-${local.environment}-mwaa"
		41 |   vpc_id = module.vpc.vpc_id
		42 | 
		43 |   egress_cidr_blocks = ["0.0.0.0/0"]
		44 |   egress_rules       = ["all-all"]
		45 | 
		46 |   ingress_with_self = [
		47 |     {
		48 |       rule = "all-all"
		49 |     }
		50 |   ]
		51 | 
		52 |   tags = local.tags
		53 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: rds_security_group
	File: /security-groups.tf:55-75

		55 | module "rds_security_group" {
		56 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		57 | 
		58 |   source  = "terraform-aws-modules/security-group/aws"
		59 |   version = "~> 5.0"
		60 | 
		61 |   name = "rds"
		62 | 
		63 |   vpc_id = module.vpc.vpc_id
		64 | 
		65 |   ingress_with_cidr_blocks = [
		66 |     {
		67 |       from_port   = 5432
		68 |       to_port     = 5432
		69 |       protocol    = "tcp"
		70 |       cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
		71 |     },
		72 |   ]
		73 | 
		74 |   tags = local.tags
		75 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: opensearch_security_group
	File: /security-groups.tf:77-94

		77 | module "opensearch_security_group" {
		78 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		79 |   source  = "terraform-aws-modules/security-group/aws"
		80 |   version = "~> 5.0"
		81 | 
		82 |   name = "openmetadata-opensearch"
		83 | 
		84 |   vpc_id = module.vpc.vpc_id
		85 | 
		86 |   ingress_with_cidr_blocks = [
		87 |     {
		88 |       from_port   = 443
		89 |       to_port     = 443
		90 |       protocol    = "tcp"
		91 |       cidr_blocks = join(",", module.vpc.private_subnets_cidr_blocks)
		92 |     },
		93 |   ]
		94 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: datahub_rds_security_group
	File: /security-groups.tf:96-116

		96  | module "datahub_rds_security_group" {
		97  |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		98  | 
		99  |   source  = "terraform-aws-modules/security-group/aws"
		100 |   version = "~> 5.0"
		101 | 
		102 |   name = "datahub-rds"
		103 | 
		104 |   vpc_id = data.aws_vpc.dedicated.id
		105 | 
		106 |   ingress_with_cidr_blocks = [
		107 |     {
		108 |       from_port   = 5432
		109 |       to_port     = 5432
		110 |       protocol    = "tcp"
		111 |       cidr_blocks = join(",", [for subnet in data.aws_subnet.private : subnet.cidr_block])
		112 |     },
		113 |   ]
		114 | 
		115 |   tags = local.tags
		116 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_endpoints
	File: /vpc-endpoints.tf:1-38

		1  | module "vpc_endpoints" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  |   source  = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		4  |   version = "~> 5.0"
		5  | 
		6  |   vpc_id = module.vpc.vpc_id
		7  | 
		8  |   endpoints = {
		9  |     guardduty-data = {
		10 |       service             = "guardduty-data"
		11 |       service_type        = "Interface"
		12 |       subnet_ids          = module.vpc.private_subnets
		13 |       security_group_ids  = [module.guardduty_data_vpc_endpoint_security_group.security_group_id]
		14 |       private_dns_enabled = true
		15 |       tags                = { Name = "${local.application_name}-${local.environment}-guardduty-data" }
		16 |     }
		17 |     email-smtp = {
		18 |       service             = "email-smtp"
		19 |       service_type        = "Interface"
		20 |       subnet_ids          = module.vpc.private_subnets
		21 |       security_group_ids  = [module.smtp_vpc_endpoint_security_group.security_group_id]
		22 |       private_dns_enabled = true
		23 |       tags                = { Name = "${local.application_name}-${local.environment}-smtp" }
		24 |     }
		25 |     s3 = {
		26 |       service      = "s3"
		27 |       service_type = "Gateway"
		28 |       route_table_ids = flatten([
		29 |         module.vpc.default_route_table_id,
		30 |         module.vpc.private_route_table_ids,
		31 |         module.vpc.public_route_table_ids
		32 |       ])
		33 |       tags = { Name = "${local.application_name}-${local.environment}-s3" }
		34 |     }
		35 |   }
		36 | 
		37 |   tags = local.tags
		38 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc
	File: /vpcs.tf:4-33

		4  | module "vpc" {
		5  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		6  |   source  = "terraform-aws-modules/vpc/aws"
		7  |   version = "~> 5.0"
		8  | 
		9  |   name             = "${local.application_name}-${local.environment}"
		10 |   azs              = slice(data.aws_availability_zones.available.names, 0, 3)
		11 |   cidr             = local.environment_configuration.vpc_cidr
		12 |   private_subnets  = local.environment_configuration.vpc_private_subnets
		13 |   public_subnets   = local.environment_configuration.vpc_public_subnets
		14 |   database_subnets = local.environment_configuration.vpc_database_subnets
		15 | 
		16 |   enable_nat_gateway     = local.environment_configuration.vpc_enable_nat_gateway
		17 |   one_nat_gateway_per_az = local.environment_configuration.vpc_one_nat_gateway_per_az
		18 | 
		19 |   enable_flow_log                           = true
		20 |   create_flow_log_cloudwatch_log_group      = true
		21 |   create_flow_log_cloudwatch_iam_role       = true
		22 |   flow_log_cloudwatch_log_group_name_suffix = "${local.application_name}-${local.environment}"
		23 | 
		24 |   public_subnet_tags = {
		25 |     "kubernetes.io/role/elb" = 1
		26 |   }
		27 | 
		28 |   private_subnet_tags = {
		29 |     "kubernetes.io/role/internal-elb" = 1
		30 |   }
		31 | 
		32 |   tags = local.tags
		33 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.powerbi_gateway_reg_credentials
	File: /powerbi-gateway-secret.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "powerbi_gateway_reg_credentials" {
		2 |   name = "${local.environment_configuration.powerbi_gateway_ec2.instance_name}-credentials"
		3 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_client_id
	File: /secrets.tf:7-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		7  | resource "aws_secretsmanager_secret" "openmetadata_entra_id_client_id" {
		8  |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		9  | 
		10 |   name = "openmetadata/entra-id/client-id"
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.openmetadata_entra_id_tenant_id
	File: /secrets.tf:13-17
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		13 | resource "aws_secretsmanager_secret" "openmetadata_entra_id_tenant_id" {
		14 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		15 | 
		16 |   name = "openmetadata/entra-id/tenant-id"
		17 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_app_id
	File: /secrets.tf:19-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		19 | resource "aws_secretsmanager_secret" "github_app_arc_app_id" {
		20 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		21 | 
		22 |   name = "github/arc/app-id"
		23 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_install_id
	File: /secrets.tf:25-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		25 | resource "aws_secretsmanager_secret" "github_app_arc_install_id" {
		26 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		27 | 
		28 |   name = "github/arc/install-id"
		29 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.github_app_arc_private_key
	File: /secrets.tf:31-35
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		31 | resource "aws_secretsmanager_secret" "github_app_arc_private_key" {
		32 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		33 | 
		34 |   name = "github/arc/private-key"
		35 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.govuk_notify_api_key
	File: /secrets.tf:38-42
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		38 | resource "aws_secretsmanager_secret" "govuk_notify_api_key" {
		39 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		40 | 
		41 |   name = "gov-uk-notify/production/api-key"
		42 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.jml_email
	File: /secrets.tf:45-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		45 | resource "aws_secretsmanager_secret" "jml_email" {
		46 |   count = terraform.workspace == "data-platform-apps-and-tools-production" ? 1 : 0
		47 | 
		48 |   name = "jml/email"
		49 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.powerbi_gateway
	File: /powerbi-gateway-security-group.tf:2-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "powerbi_gateway" {
		3  |   name        = local.environment_configuration.powerbi_gateway_ec2.instance_name
		4  |   description = local.environment_configuration.powerbi_gateway_ec2.instance_name
		5  |   vpc_id      = data.aws_vpc.shared.id
		6  | 
		7  |   # https://learn.microsoft.com/en-us/data-integration/gateway/service-gateway-communication#ports
		8  |   egress {
		9  |     from_port   = 443
		10 |     to_port     = 443
		11 |     protocol    = "tcp"
		12 |     cidr_blocks = ["0.0.0.0/0"]
		13 |   }
		14 | 
		15 |   egress {
		16 |     from_port   = 5671
		17 |     to_port     = 5672
		18 |     protocol    = "tcp"
		19 |     cidr_blocks = ["0.0.0.0/0"]
		20 |   }
		21 | 
		22 |   egress {
		23 |     from_port   = 9352
		24 |     to_port     = 9354
		25 |     protocol    = "tcp"
		26 |     cidr_blocks = ["0.0.0.0/0"]
		27 |   }
		28 | 
		29 |   tags = local.tags
		30 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-17 12:30:26,523 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 14, Failed checks: 1, Skipped checks: 1

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: kms_key
	File: /main.tf:1-57

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/data-platform-apps-and-tools terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/random.tf line 24:
  24: resource "random_password" "datahub_rds" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams/main.tf line 102:
 102: resource "aws_cloudwatch_event_target" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=4

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/data-platform-apps-and-tools terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams

*****************************

Running Trivy in terraform/environments/data-platform-apps-and-tools
2024-05-17T12:29:57Z	INFO	Need to update DB
2024-05-17T12:29:57Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-17T12:29:59Z	INFO	Vulnerability scanning is enabled
2024-05-17T12:29:59Z	INFO	Misconfiguration scanning is enabled
2024-05-17T12:29:59Z	INFO	Need to update the built-in policies
2024-05-17T12:29:59Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-17T12:29:59Z	INFO	Secret scanning is enabled
2024-05-17T12:29:59Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-17T12:29:59Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-17T12:30:18Z	INFO	Number of language-specific files	num=1
2024-05-17T12:30:18Z	INFO	[pip] Detecting vulnerabilities...
2024-05-17T12:30:18Z	INFO	Detected config files	num=23

data.tf (terraform)
===================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


eks-iam-policies.tf (terraform)
===============================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=2cb1fac31b0fc2dd6a236b0c0678df75819c5a3b/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)
=============================================================================================================================================================================
Tests: 25 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 25)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf (terraform)
======================================================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)

HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0/main.tf:171-179
   via s3.tf:5-15 (module.airflow_s3_bucket)
────────────────────────────────────────
 171 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
 172 │   bucket = aws_s3_bucket.default.id
 173 │   rule {
 174 │     apply_server_side_encryption_by_default {
 175 │       sse_algorithm     = var.sse_algorithm
 176 │       kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
 177 │     }
 178 │   }
 179 └ }
────────────────────────────────────────



mwaa-iam-policies.tf (terraform)
================================
Tests: 4 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


powerbi-gateway-iam.tf (terraform)
==================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


powerbi-gateway-security-group.tf (terraform)
=============================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3, EXCEPTIONS: 0)
Failures: 3 (HIGH: 0, CRITICAL: 3)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:26
   via powerbi-gateway-security-group.tf:22-27 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  26 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:19
   via powerbi-gateway-security-group.tf:15-20 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  19 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 powerbi-gateway-security-group.tf:12
   via powerbi-gateway-security-group.tf:8-13 (egress)
    via powerbi-gateway-security-group.tf:2-30 (aws_security_group.powerbi_gateway)
────────────────────────────────────────
   2   resource "aws_security_group" "powerbi_gateway" {
   .   
  12 [     cidr_blocks = ["0.0.0.0/0"]
  ..   
  30   }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/environments/data-platform-apps-and-tools/modules/auth0-log-streams
2024-05-17T12:30:19Z	INFO	Vulnerability scanning is enabled
2024-05-17T12:30:19Z	INFO	Misconfiguration scanning is enabled
2024-05-17T12:30:19Z	INFO	Secret scanning is enabled
2024-05-17T12:30:19Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-17T12:30:19Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-17T12:30:20Z	INFO	Number of language-specific files	num=0
2024-05-17T12:30:20Z	INFO	Detected config files	num=3
trivy_exitcode=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update terraform Pull requests that update Terraform code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
0 participants