Bump container_definition::modernisation-platform-terraform-ecs-cluster from 4.2.1 to 4.3.0 in /terraform/environments/delius-core

[dependabot]

Bumps container_definition::modernisation-platform-terraform-ecs-cluster from 4.2.1 to 4.3.0.

Release notes

Sourced from container_definition::modernisation-platform-terraform-ecs-cluster's releases.

v4.3.0

What's Changed

• Numerous dependabot bumps
• updated README.md by @​Khatraf in ministryofjustice/modernisation-platform-terraform-ecs-cluster#139
• Don't force nonsensitive value for container definitions by @​georgepstaylor in ministryofjustice/modernisation-platform-terraform-ecs-cluster#155
• Make mount points optional by @​georgepstaylor in ministryofjustice/modernisation-platform-terraform-ecs-cluster#156

New Contributors

• @​Khatraf made their first contribution in ministryofjustice/modernisation-platform-terraform-ecs-cluster#139

Full Changelog: ministryofjustice/modernisation-platform-terraform-ecs-cluster@v4.2.1...v4.3.0

Commits

• b006479 Merge pull request #157 from ministryofjustice/dependabot/github_actions/gith...
• 521ae82 Merge pull request #156 from ministryofjustice/mount-points-optional
• 659ce2e Merge pull request #155 from ministryofjustice/nonsensitive-container-defs
• bdb15db Merge pull request #139 from ministryofjustice/docs/update-README-file
• e22a720 Build(deps): Bump github/codeql-action from 3.25.4 to 3.25.5
• e28af24 terraform-docs: automated action
• 322c719 make mount points optional
• b19d811 Update task_def.tf
• 380d206 Merge pull request #154 from ministryofjustice/dependabot/github_actions/brid...
• 07dc9da Merge pull request #153 from ministryofjustice/dependabot/github_actions/ossf...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

Trivy Scan Failed

Show Output

```hcl

---

Trivy will check the following folders:
terraform/environments/delius-core/modules/helpers/delius_microservice

---

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-05-15T00:52:44Z INFO Need to update DB
2024-05-15T00:52:44Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T00:52:45Z INFO Vulnerability scanning is enabled
2024-05-15T00:52:45Z INFO Misconfiguration scanning is enabled
2024-05-15T00:52:45Z INFO Need to update the built-in policies
2024-05-15T00:52:45Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T00:52:46Z INFO Secret scanning is enabled
2024-05-15T00:52:46Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T00:52:46Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T00:52:47Z INFO Number of language-specific files num=0
2024-05-15T00:52:47Z INFO Detected config files num=5

../ecs_policies/main.tf (terraform)

Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)

sg.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
sg.tf:37
via sg.tf:31-39 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
31 resource "aws_security_group_rule" "ecs_service_tls_egress" {
32 description = "Allow all outbound traffic to any IPv4 address on 443"
33 type = "egress"
34 from_port = 443
35 to_port = 443
36 protocol = "tcp"
37 [ cidr_blocks = ["0.0.0.0/0"]
38 security_group_id = aws_security_group.ecs_service.id
39 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Checkov in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-15 00:52:49,485 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0:None (for external modules, the --download-external-modules flag is required)
2024-05-15 00:52:49,485 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.2.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 155, Failed checks: 16, Skipped checks: 2

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: aws_cloudwatch_log_group.ecs
	File: /cloudwatch.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		1 | resource "aws_cloudwatch_log_group" "ecs" {
		2 |   name              = "${var.env_name}-${var.name}"
		3 |   retention_in_days = 7
		4 |   tags              = var.tags
		5 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: container_definition
	File: /ecs.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "container_definition" {
		2  |   source                   = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//container?ref=v4.3.0"
		3  |   name                     = var.name
		4  |   image                    = var.container_image
		5  |   memory                   = var.container_memory
		6  |   cpu                      = var.container_cpu
		7  |   essential                = true
		8  |   readonly_root_filesystem = false
		9  | 
		10 |   environment = local.calculated_container_vars_list
		11 | 
		12 |   secrets       = local.calculated_container_secrets_list
		13 |   port_mappings = var.container_port_config
		14 |   mount_points  = var.mount_points
		15 |   log_configuration = {
		16 |     logDriver = "awslogs"
		17 |     options = {
		18 |       "awslogs-group"         = aws_cloudwatch_log_group.ecs.name
		19 |       "awslogs-region"        = "eu-west-2"
		20 |       "awslogs-stream-prefix" = "${var.env_name}-${var.name}"
		21 |     }
		22 |   }
		23 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: ecs_service
	File: /ecs.tf:32-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		32 | module "ecs_service" {
		33 |   source                = "git::https://github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//service?ref=v4.2.1"
		34 |   container_definitions = module.container_definition.json_encoded_list
		35 |   cluster_arn           = var.ecs_cluster_arn
		36 |   name                  = var.name
		37 | 
		38 |   task_cpu    = var.container_cpu
		39 |   task_memory = var.container_memory
		40 | 
		41 |   desired_count                      = var.desired_count
		42 |   deployment_maximum_percent         = var.deployment_maximum_percent
		43 |   deployment_minimum_healthy_percent = var.deployment_minimum_healthy_percent
		44 | 
		45 |   service_role_arn   = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.service_role.name}"
		46 |   task_role_arn      = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_role.name}"
		47 |   task_exec_role_arn = "arn:aws:iam::${var.account_info.id}:role/${module.ecs_policies.task_exec_role.name}"
		48 | 
		49 |   health_check_grace_period_seconds = var.health_check_grace_period_seconds
		50 | 
		51 |   service_load_balancers = concat([{
		52 |     target_group_arn = aws_lb_target_group.frontend.arn
		53 |     container_name   = var.name
		54 |     container_port   = var.container_port_config[0].containerPort
		55 |     }],
		56 |   values(local.ecs_nlbs))
		57 | 
		58 |   efs_volumes = var.efs_volumes
		59 | 
		60 |   security_groups = [aws_security_group.ecs_service.id]
		61 | 
		62 |   subnets = var.account_config.private_subnet_ids
		63 | 
		64 |   enable_execute_command = true
		65 | 
		66 |   ignore_changes = var.ignore_changes_service_task_definition
		67 | 
		68 |   tags = var.tags
		69 | }

Check: CKV_AWS_319: "Ensure that CloudWatch alarm actions are enabled"
	FAILED for resource: aws_cloudwatch_metric_alarm.log_error_warning_alarm[0]
	File: /ecs_monitoring.tf:120-149
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-319

		120 | resource "aws_cloudwatch_metric_alarm" "log_error_warning_alarm" {
		121 |   count               = var.log_error_pattern != "" ? 1 : 0
		122 |   alarm_name          = "${var.name}-${var.env_name}-logged-errors-warning"
		123 |   alarm_description   = "Error messages were detected in the `${var.name}` logs."
		124 |   comparison_operator = "GreaterThanUpperThreshold"
		125 |   threshold_metric_id = "ad1"
		126 |   evaluation_periods  = 2
		127 |   alarm_actions       = [var.sns_topic_arn]
		128 |   ok_actions          = [var.sns_topic_arn]
		129 |   actions_enabled     = false # Disabled initially, while anomaly detection models are trained
		130 | 
		131 |   metric_query {
		132 |     id          = "ad1"
		133 |     expression  = "ANOMALY_DETECTION_BAND(m1)"
		134 |     label       = "${aws_cloudwatch_log_metric_filter.log_error_filter.0.metric_transformation.0.name} (expected)"
		135 |     return_data = true
		136 |   }
		137 | 
		138 |   metric_query {
		139 |     id          = "m1"
		140 |     label       = aws_cloudwatch_log_metric_filter.log_error_filter.0.metric_transformation.0.name
		141 |     return_data = true
		142 |     metric {
		143 |       namespace   = aws_cloudwatch_log_metric_filter.log_error_filter.0.metric_transformation.0.namespace
		144 |       metric_name = aws_cloudwatch_log_metric_filter.log_error_filter.0.metric_transformation.0.name
		145 |       period      = 300
		146 |       stat        = "Sum"
		147 |     }
		148 |   }
		149 | }

Check: CKV_AWS_91: "Ensure the ELBv2 (Application/Network) has access logging enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:89-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-22

		89 | resource "aws_lb" "delius_microservices" {
		90 |   name                       = "${var.name}-service-nlb"
		91 |   internal                   = true
		92 |   load_balancer_type         = "network"
		93 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		94 |   subnets                    = var.account_config.private_subnet_ids
		95 |   enable_deletion_protection = false
		96 |   tags                       = var.tags
		97 | }

Check: CKV_AWS_152: "Ensure that Load Balancer (Network/Gateway) has cross-zone load balancing enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:89-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-load-balancer-networkgateway-has-cross-zone-load-balancing-enabled

		89 | resource "aws_lb" "delius_microservices" {
		90 |   name                       = "${var.name}-service-nlb"
		91 |   internal                   = true
		92 |   load_balancer_type         = "network"
		93 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		94 |   subnets                    = var.account_config.private_subnet_ids
		95 |   enable_deletion_protection = false
		96 |   tags                       = var.tags
		97 | }

Check: CKV_AWS_150: "Ensure that Load Balancer has deletion protection enabled"
	FAILED for resource: aws_lb.delius_microservices
	File: /load_balancing.tf:89-97
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-150

		89 | resource "aws_lb" "delius_microservices" {
		90 |   name                       = "${var.name}-service-nlb"
		91 |   internal                   = true
		92 |   load_balancer_type         = "network"
		93 |   security_groups            = [aws_security_group.delius_microservices_service_nlb.id]
		94 |   subnets                    = var.account_config.private_subnet_ids
		95 |   enable_deletion_protection = false
		96 |   tags                       = var.tags
		97 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_ingress_rule.from_vpc
	File: /load_balancing.tf:109-113
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		109 | resource "aws_vpc_security_group_ingress_rule" "from_vpc" {
		110 |   cidr_ipv4         = var.account_config.shared_vpc_cidr
		111 |   ip_protocol       = "-1"
		112 |   security_group_id = aws_security_group.delius_microservices_service_nlb.id
		113 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_vpc_security_group_egress_rule.nlb_to_ecs_service
	File: /load_balancing.tf:115-122
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		115 | resource "aws_vpc_security_group_egress_rule" "nlb_to_ecs_service" {
		116 |   for_each                     = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		117 |   ip_protocol                  = "TCP"
		118 |   from_port                    = each.value
		119 |   to_port                      = each.value
		120 |   security_group_id            = aws_security_group.delius_microservices_service_nlb.id
		121 |   referenced_security_group_id = aws_security_group.ecs_service.id
		122 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.all_cluster_to_ecs_service_tcp
	File: /sg.tf:41-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		41 | resource "aws_security_group_rule" "all_cluster_to_ecs_service_tcp" {
		42 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		43 |   security_group_id        = aws_security_group.ecs_service.id
		44 |   type                     = "ingress"
		45 |   from_port                = each.value
		46 |   to_port                  = each.value
		47 |   protocol                 = "tcp"
		48 |   source_security_group_id = var.cluster_security_group_id
		49 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group_rule.bastion_to_ecs_service_tcp
	File: /sg.tf:51-59
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		51 | resource "aws_security_group_rule" "bastion_to_ecs_service_tcp" {
		52 |   for_each                 = toset([for _, v in var.container_port_config : tostring(v.containerPort)])
		53 |   security_group_id        = aws_security_group.ecs_service.id
		54 |   type                     = "ingress"
		55 |   from_port                = each.value
		56 |   to_port                  = each.value
		57 |   protocol                 = "tcp"
		58 |   source_security_group_id = var.bastion_sg_id
		59 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ecs.tf:25-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_policies.aws_iam_policy_document.task_exec
	File: /../ecs_policies/main.tf:104-121
	Calling File: /ecs.tf:25-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		104 | data "aws_iam_policy_document" "task_exec" {
		105 |   statement {
		106 |     effect    = "Allow"
		107 |     resources = ["*"]
		108 | 
		109 |     actions = concat([
		110 |       "ssm:GetParameters",
		111 |       "ecr:GetAuthorizationToken",
		112 |       "ecr:BatchCheckLayerAvailability",
		113 |       "ecr:GetDownloadUrlForLayer",
		114 |       "ecr:BatchGetImage",
		115 |       "logs:CreateLogGroup",
		116 |       "logs:CreateLogStream",
		117 |       "logs:PutLogEvents",
		118 |       "secretsmanager:GetSecretValue"
		119 |     ], var.extra_exec_role_allow_statements)
		120 |   }
		121 | }

Check: CKV2_AWS_60: "Ensure RDS instance with copy tags to snapshots is enabled"
	FAILED for resource: aws_db_instance.this
	File: /rds.tf:41-87
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-60

		41 | resource "aws_db_instance" "this" {
		42 |   count          = var.create_rds ? 1 : 0
		43 |   engine         = var.rds_engine
		44 |   license_model  = var.rds_license_model != null ? var.rds_license_model : null
		45 |   engine_version = var.rds_engine_version
		46 |   instance_class = var.rds_instance_class
		47 |   identifier     = "${var.name}-${var.env_name}-db"
		48 |   username       = var.rds_username
		49 | 
		50 |   manage_master_user_password = true
		51 | 
		52 |   snapshot_identifier = var.snapshot_identifier != null ? var.snapshot_identifier : null
		53 | 
		54 |   kms_key_id = var.account_config.kms_keys.rds_shared
		55 | 
		56 |   allow_major_version_upgrade = var.rds_allow_major_version_upgrade
		57 |   apply_immediately           = var.rds_apply_immediately
		58 | 
		59 |   # tflint-ignore: aws_db_instance_default_parameter_group
		60 |   parameter_group_name                = var.rds_parameter_group_name
		61 |   deletion_protection                 = var.rds_deletion_protection
		62 |   delete_automated_backups            = var.rds_delete_automated_backups
		63 |   skip_final_snapshot                 = var.rds_skip_final_snapshot
		64 |   final_snapshot_identifier           = !var.rds_skip_final_snapshot ? "${var.name}-${var.env_name}-db-final-${random_id.rds_suffix.hex}" : null
		65 |   allocated_storage                   = var.rds_allocated_storage
		66 |   max_allocated_storage               = var.rds_max_allocated_storage
		67 |   storage_type                        = var.rds_storage_type
		68 |   maintenance_window                  = var.maintenance_window
		69 |   auto_minor_version_upgrade          = true
		70 |   backup_window                       = var.rds_backup_window
		71 |   backup_retention_period             = var.rds_backup_retention_period
		72 |   iam_database_authentication_enabled = var.rds_iam_database_authentication_enabled
		73 |   db_subnet_group_name                = aws_db_subnet_group.this[0].id
		74 |   vpc_security_group_ids              = [aws_security_group.db[0].id]
		75 |   multi_az                            = var.rds_multi_az
		76 |   monitoring_interval                 = var.rds_monitoring_interval
		77 |   monitoring_role_arn                 = var.rds_monitoring_interval != null || var.rds_monitoring_interval != 0 ? aws_iam_role.rds_enhanced_monitoring[0].arn : null
		78 |   #checkov:skip=CKV_AWS_118: "enhanced monitoring is enabled, but optional"
		79 |   storage_encrypted               = true
		80 |   performance_insights_enabled    = var.rds_performance_insights_enabled
		81 |   performance_insights_kms_key_id = var.rds_performance_insights_enabled ? var.account_config.kms_keys.general_shared : null
		82 |   enabled_cloudwatch_logs_exports = var.rds_enabled_cloudwatch_logs_exports
		83 |   tags = merge(var.tags,
		84 |     { Name = lower(format("%s-%s-database", var.name, var.env_name)) },
		85 |     var.enable_platform_backups != null ? { "backup" = var.enable_platform_backups ? "true" : "false" } : {}
		86 |   )
		87 | }

Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_service
	File: /sg.tf:2-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		2  | resource "aws_security_group" "ecs_service" {
		3  |   name        = "ecs-service-${var.name}-${var.env_name}"
		4  |   description = "Security group for the ${var.env_name} ${var.name} service"
		5  |   vpc_id      = var.account_config.shared_vpc_id
		6  |   tags        = var.tags
		7  |   lifecycle {
		8  |     create_before_destroy = true
		9  |   }
		10 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running tflint in terraform/environments/delius-core/modules/helpers/delius_microservice
Excluding the following checks: terraform_unused_declarations
1 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/delius-core/modules/helpers/delius_microservice/rds.tf line 1:
   1: resource "random_id" "rds_suffix" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Failed

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/delius-core/modules/helpers/delius_microservice

*****************************

Running Trivy in terraform/environments/delius-core/modules/helpers/delius_microservice
2024-05-15T00:52:44Z	INFO	Need to update DB
2024-05-15T00:52:44Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T00:52:45Z	INFO	Vulnerability scanning is enabled
2024-05-15T00:52:45Z	INFO	Misconfiguration scanning is enabled
2024-05-15T00:52:45Z	INFO	Need to update the built-in policies
2024-05-15T00:52:45Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T00:52:46Z	INFO	Secret scanning is enabled
2024-05-15T00:52:46Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T00:52:46Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T00:52:47Z	INFO	Number of language-specific files	num=0
2024-05-15T00:52:47Z	INFO	Detected config files	num=5

../ecs_policies/main.tf (terraform)
===================================
Tests: 6 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 6)
Failures: 0 (HIGH: 0, CRITICAL: 0)


sg.tf (terraform)
=================
Tests: 1 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 sg.tf:37
   via sg.tf:31-39 (aws_security_group_rule.ecs_service_tls_egress)
────────────────────────────────────────
  31   resource "aws_security_group_rule" "ecs_service_tls_egress" {
  32     description       = "Allow all outbound traffic to any IPv4 address on 443"
  33     type              = "egress"
  34     from_port         = 443
  35     to_port           = 443
  36     protocol          = "tcp"
  37 [   cidr_blocks       = ["0.0.0.0/0"]
  38     security_group_id = aws_security_group.ecs_service.id
  39   }
────────────────────────────────────────


trivy_exitcode=1