Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cc 3081 #9484

Merged
merged 14 commits into from
Jan 28, 2025
Merged

Cc 3081 #9484

merged 14 commits into from
Jan 28, 2025

Conversation

SahidKhan89
Copy link
Contributor

No description provided.

@SahidKhan89 SahidKhan89 requested review from a team as code owners January 28, 2025 16:05
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 28, 2025
mmgovuk
mmgovuk approved these changes Jan 28, 2025
View reviewed changes
Copy link
Contributor

@mmgovuk mmgovuk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@SahidKhan89 SahidKhan89 merged commit 31cfac7 into main Jan 28, 2025
13 of 16 checks passed
@SahidKhan89 SahidKhan89 deleted the CC-3081 branch January 28, 2025 16:07
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/ccms-ebs-upgrade

Running Trivy in terraform/environments/ccms-ebs-upgrade
2025-01-28T16:07:42Z INFO [vulndb] Need to update DB
2025-01-28T16:07:42Z INFO [vulndb] Downloading vulnerability DB...
2025-01-28T16:07:42Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-28T16:07:45Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-28T16:07:45Z INFO [vuln] Vulnerability scanning is enabled
2025-01-28T16:07:45Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-28T16:07:45Z INFO [misconfig] Need to update the built-in checks
2025-01-28T16:07:45Z INFO [misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-28T16:07:45Z INFO [secret] Secret scanning is enabled
2025-01-28T16:07:45Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-28T16:07:45Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-28T16:07:46Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-28T16:07:46Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-28T16:07:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-28T16:07:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_route53_record.external_validation" value="cty.NilVal"
2025-01-28T16:07:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-28T16:07:46Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-28T16:07:47Z INFO [terraform scanner] Scanning root module file_path="modules"
2025-01-28T16:07:47Z INFO [terraform scanner] Scanning root module file_path="modules/cw-logs"
2025-01-28T16:07:50Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2025-01-28T16:07:50Z INFO [terraform executor] Ignore finding rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170"
2025-01-28T16:07:51Z INFO Number of language-specific files num=0
2025-01-28T16:07:51Z INFO Detected config files num=21

ec2-oracle_accessgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_accessgate" {
2 │ count = local.application_data.accounts[local.environment].accessgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
4 │ ami = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ec2-oracle_ebs_apps-alb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "ebsapps_lb" {
2 │ name = lower(format("lb-%s-ebsapp", local.application_name))
3 │ internal = true
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_ebsapps_lb.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

ec2-oracle_ebs_apps.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2-oracle_ebs_apps.tf:1-50
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_ebsapps" {
2 │ count = local.application_data.accounts[local.environment].ebsapps_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
4 │ ami = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

ec2-oracle_ebs_conc.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2-oracle_ebs_conc.tf:1-48
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_conc" {
2 │ count = local.application_data.accounts[local.environment].conc_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc
4 │ ami = local.application_data.accounts[local.environment].ebsconc_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsconc.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = local.application_data.accounts[local.environment].ebs_optimized
..
────────────────────────────────────────

ec2-oracle_ebs_db.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.

See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
ec2-oracle_ebs_db.tf:1-48
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_oracle_ebs" {
2 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
3 │ #ami = data.aws_ami.oracle_db.id
4 │ ami = local.application_data.accounts[local.environment].ebsdb_ami_id
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_ebsdb.id]
7 │ subnet_id = data.aws_subnet.data_subnets_a.id
8 │ monitoring = true
9 └ ebs_optimized = false
..
────────────────────────────────────────

ec2-oracle_webgate-alb.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.

See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
ec2-oracle_webgate-alb.tf:1-19
────────────────────────────────────────
1 ┌ resource "aws_lb" "webgate_lb" {
2 │ name = lower(format("lb-%s-webgate", local.application_name))
3 │ internal = true
4 │ load_balancer_type = "application"
5 │ security_groups = [aws_security_group.sg_webgate_lb.id]
6 │ subnets = data.aws_subnets.shared-private.ids
7 │
8 │ enable_deletion_protection = true
9 └
..
────────────────────────────────────────

ec2-oracle_webgate.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default aws_instance resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using metadata_options block and its http_tokens variable set to required.

See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
1 ┌ resource "aws_instance" "ec2_webgate" {
2 │ count = local.application_data.accounts[local.environment].webgate_no_instances
3 │ instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
4 │ ami = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
5 │ key_name = local.application_data.accounts[local.environment].key_name
6 │ vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
7 │ subnet_id = local.private_subnets[count.index]
8 │ #subnet_id = data.aws_subnet.data_subnets_a.id
9 └ monitoring = true
..
────────────────────────────────────────

s3.tf (terraform)

Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
s3.tf:280-282
────────────────────────────────────────
280 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
281 │ bucket = "${local.application_name}-${local.environment}-shared"
282 └ }
────────────────────────────────────────

AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
s3.tf:280-282
────────────────────────────────────────
280 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
281 │ bucket = "${local.application_name}-${local.environment}-shared"
282 └ }
────────────────────────────────────────

AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
s3.tf:280-282
────────────────────────────────────────
280 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
281 │ bucket = "${local.application_name}-${local.environment}-shared"
282 └ }
────────────────────────────────────────

AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
s3.tf:280-282
────────────────────────────────────────
280 ┌ resource "aws_s3_bucket" "ccms_ebs_shared" {
281 │ bucket = "${local.application_name}-${local.environment}-shared"
282 └ }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/ccms-ebs-upgrade

*****************************

Running Checkov in terraform/environments/ccms-ebs-upgrade
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-28 16:07:53,823 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0:None (for external modules, the --download-external-modules flag is required)
2025-01-28 16:07:53,823 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.1.0:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 918, Failed checks: 44, Skipped checks: 0

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ftp
	File: /ccms-ec2-ftp.tf:1-68
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   count       = local.is-test ? 1 : 0
		5  |   name        = "ftp-s3-${local.environment}-aws-key"
		6  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		7  | 
		8  |   tags = merge(local.tags,
		9  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		10 |   )
		11 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: aws_cloudwatch_log_group.groups
	File: /cloudwatch.tf:15-26
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		15 | resource "aws_cloudwatch_log_group" "groups" {
		16 |   for_each          = local.application_data.cw_log_groups
		17 |   name              = each.key
		18 |   retention_in_days = each.value.retention_days
		19 | 
		20 |   tags = merge(
		21 |     local.tags,
		22 |     {
		23 |       Name = each.key
		24 |     },
		25 |   )
		26 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch_datasource
	File: /cloudwatch.tf:54-106
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_role_policy.dlm_lifecycle
	File: /dlm.tf:24-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		24 | resource "aws_iam_role_policy" "dlm_lifecycle" {
		25 |   count = local.is-production ? 0 : 1
		26 |   name  = "dlm-lifecycle-policy"
		27 |   role  = aws_iam_role.dlm_lifecycle_role[0].id
		28 | 
		29 |   policy = <<EOF
		30 | {
		31 |    "Version": "2012-10-17",
		32 |    "Statement": [
		33 |       {
		34 |          "Effect": "Allow",
		35 |          "Action": [
		36 |             "ec2:CreateSnapshot",
		37 |             "ec2:DeleteSnapshot",
		38 |             "ec2:DescribeVolumes",
		39 |             "ec2:DescribeSnapshots"
		40 |          ],
		41 |          "Resource": "*"
		42 |       },
		43 |       {
		44 |          "Effect": "Allow",
		45 |          "Action": [
		46 |             "ec2:CreateTags"
		47 |          ],
		48 |          "Resource": "arn:aws:ec2:*::snapshot/*"
		49 |       }
		50 |    ]
		51 | }
		52 | EOF
		53 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_accessgate
	File: /ec2-oracle_accessgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.ebsapps_lb
	File: /ec2-oracle_ebs_apps-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "ebsapps_lb" {
		2  |   name               = lower(format("lb-%s-ebsapp", local.application_name))
		3  |   internal           = true
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_ebsapps_lb.id]
		6  |   subnets            = data.aws_subnets.shared-private.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_ebsapp
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-ebsapp", local.application_name)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.ebsapp_tg
	File: /ec2-oracle_ebs_apps-alb.tf:38-53
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		38 | resource "aws_lb_target_group" "ebsapp_tg" {
		39 |   name     = lower(format("tg-%s-ebsapp", local.application_name))
		40 |   port     = local.application_data.accounts[local.environment].tg_apps_port
		41 |   protocol = "HTTP"
		42 |   vpc_id   = data.aws_vpc.shared.id
		43 |   health_check {
		44 |     port     = local.application_data.accounts[local.environment].tg_apps_port
		45 |     protocol = "HTTP"
		46 |   }
		47 | 
		48 |   stickiness {
		49 |     enabled         = true
		50 |     type            = "lb_cookie"
		51 |     cookie_duration = 3600
		52 |   }
		53 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ec2-oracle_ebs_apps.tf:1-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_ebsapps
	File: /ec2-oracle_ebs_apps.tf:1-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_conc
	File: /ec2-oracle_ebs_conc.tf:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		1  | resource "aws_instance" "ec2_oracle_conc" {
		2  |   count                       = local.application_data.accounts[local.environment].conc_no_instances
		3  |   instance_type               = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc
		4  |   ami                         = local.application_data.accounts[local.environment].ebsconc_ami_id
		5  |   key_name                    = local.application_data.accounts[local.environment].key_name
		6  |   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsconc.id]
		7  |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		8  |   monitoring                  = true
		9  |   ebs_optimized               = local.application_data.accounts[local.environment].ebs_optimized
		10 |   associate_public_ip_address = false
		11 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
		12 | 
		13 |   cpu_core_count       = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsconc
		14 |   cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsconc
		15 | 
		16 |   # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
		17 |   #lifecycle {
		18 |   #  ignore_changes = [ebs_block_device]
		19 |   #}
		20 |   lifecycle {
		21 |     ignore_changes = [
		22 |       cpu_core_count,
		23 |       ebs_block_device,
		24 |       ebs_optimized,
		25 |       user_data,
		26 |       user_data_replace_on_change
		27 |     ]
		28 |   }
		29 |   user_data_replace_on_change = false
		30 |   user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", {
		31 |     environment = "${local.environment}"
		32 |     hostname    = "ebs"
		33 |   }))
		34 | 
		35 |   metadata_options {
		36 |     http_endpoint = "enabled"
		37 |     http_tokens   = "required"
		38 |   }
		39 | 
		40 |   tags = merge(local.tags,
		41 |     { Name = lower(format("ec2-%s-%s-ebsconc", local.application_name, local.environment)) },
		42 |     { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-ebsconc },
		43 |     { instance-role = local.application_data.accounts[local.environment].instance_role_ebsconc },
		44 |     { backup = "true" },
		45 |     { OracleDbLTS-ManagedInstance = "true" }
		46 |   )
		47 |   depends_on = [aws_security_group.ec2_sg_ebsconc]
		48 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_conc
	File: /ec2-oracle_ebs_conc.tf:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "ec2_oracle_conc" {
		2  |   count                       = local.application_data.accounts[local.environment].conc_no_instances
		3  |   instance_type               = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc
		4  |   ami                         = local.application_data.accounts[local.environment].ebsconc_ami_id
		5  |   key_name                    = local.application_data.accounts[local.environment].key_name
		6  |   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsconc.id]
		7  |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		8  |   monitoring                  = true
		9  |   ebs_optimized               = local.application_data.accounts[local.environment].ebs_optimized
		10 |   associate_public_ip_address = false
		11 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
		12 | 
		13 |   cpu_core_count       = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsconc
		14 |   cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsconc
		15 | 
		16 |   # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
		17 |   #lifecycle {
		18 |   #  ignore_changes = [ebs_block_device]
		19 |   #}
		20 |   lifecycle {
		21 |     ignore_changes = [
		22 |       cpu_core_count,
		23 |       ebs_block_device,
		24 |       ebs_optimized,
		25 |       user_data,
		26 |       user_data_replace_on_change
		27 |     ]
		28 |   }
		29 |   user_data_replace_on_change = false
		30 |   user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", {
		31 |     environment = "${local.environment}"
		32 |     hostname    = "ebs"
		33 |   }))
		34 | 
		35 |   metadata_options {
		36 |     http_endpoint = "enabled"
		37 |     http_tokens   = "required"
		38 |   }
		39 | 
		40 |   tags = merge(local.tags,
		41 |     { Name = lower(format("ec2-%s-%s-ebsconc", local.application_name, local.environment)) },
		42 |     { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-ebsconc },
		43 |     { instance-role = local.application_data.accounts[local.environment].instance_role_ebsconc },
		44 |     { backup = "true" },
		45 |     { OracleDbLTS-ManagedInstance = "true" }
		46 |   )
		47 |   depends_on = [aws_security_group.ec2_sg_ebsconc]
		48 | }

Check: CKV_AWS_8: "Ensure all data stored in the Launch configuration or instance Elastic Blocks Store is securely encrypted"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ec2-oracle_ebs_db.tf:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-13

		1  | resource "aws_instance" "ec2_oracle_ebs" {
		2  |   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
		3  |   #ami                         = data.aws_ami.oracle_db.id
		4  |   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
		5  |   key_name                    = local.application_data.accounts[local.environment].key_name
		6  |   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
		7  |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		8  |   monitoring                  = true
		9  |   ebs_optimized               = false
		10 |   associate_public_ip_address = false
		11 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
		12 | 
		13 |   cpu_core_count       = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb
		14 |   cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb
		15 | 
		16 |   # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
		17 |   #lifecycle {
		18 |   #  ignore_changes = [ebs_block_device]
		19 |   #}
		20 |   lifecycle {
		21 |     ignore_changes = [
		22 |       cpu_core_count,
		23 |       ebs_block_device,
		24 |       ebs_optimized,
		25 |       user_data,
		26 |       user_data_replace_on_change
		27 |     ]
		28 |   }
		29 |   user_data_replace_on_change = false
		30 |   user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", {
		31 |     environment = "${local.environment}"
		32 |     hostname    = "ebs"
		33 |   }))
		34 | 
		35 |   metadata_options {
		36 |     http_endpoint = "enabled"
		37 |     http_tokens   = "required"
		38 |   }
		39 | 
		40 |   tags = merge(local.tags,
		41 |     { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) },
		42 |     { instance-role = local.application_data.accounts[local.environment].instance_role_ebsdb },
		43 |     { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-ebsdb },
		44 |     { backup = "true" },
		45 |     { OracleDbLTS-ManagedInstance = "true" }
		46 |   )
		47 |   depends_on = [aws_security_group.ec2_sg_ebsdb]
		48 | }

Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_oracle_ebs
	File: /ec2-oracle_ebs_db.tf:1-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		1  | resource "aws_instance" "ec2_oracle_ebs" {
		2  |   instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
		3  |   #ami                         = data.aws_ami.oracle_db.id
		4  |   ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
		5  |   key_name                    = local.application_data.accounts[local.environment].key_name
		6  |   vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
		7  |   subnet_id                   = data.aws_subnet.data_subnets_a.id
		8  |   monitoring                  = true
		9  |   ebs_optimized               = false
		10 |   associate_public_ip_address = false
		11 |   iam_instance_profile        = aws_iam_instance_profile.iam_instace_profile_ccms_base.name
		12 | 
		13 |   cpu_core_count       = local.application_data.accounts[local.environment].ec2_oracle_instance_cores_ebsdb
		14 |   cpu_threads_per_core = local.application_data.accounts[local.environment].ec2_oracle_instance_threads_ebsdb
		15 | 
		16 |   # Due to a bug in terraform wanting to rebuild the ec2 if more than 1 ebs block is attached, we need the lifecycle clause below.
		17 |   #lifecycle {
		18 |   #  ignore_changes = [ebs_block_device]
		19 |   #}
		20 |   lifecycle {
		21 |     ignore_changes = [
		22 |       cpu_core_count,
		23 |       ebs_block_device,
		24 |       ebs_optimized,
		25 |       user_data,
		26 |       user_data_replace_on_change
		27 |     ]
		28 |   }
		29 |   user_data_replace_on_change = false
		30 |   user_data = base64encode(templatefile("./templates/ec2_user_data_ebs.sh", {
		31 |     environment = "${local.environment}"
		32 |     hostname    = "ebs"
		33 |   }))
		34 | 
		35 |   metadata_options {
		36 |     http_endpoint = "enabled"
		37 |     http_tokens   = "required"
		38 |   }
		39 | 
		40 |   tags = merge(local.tags,
		41 |     { Name = lower(format("ec2-%s-%s-ebsdb", local.application_name, local.environment)) },
		42 |     { instance-role = local.application_data.accounts[local.environment].instance_role_ebsdb },
		43 |     { instance-scheduling = local.application_data.accounts[local.environment].instance-scheduling-ebsdb },
		44 |     { backup = "true" },
		45 |     { OracleDbLTS-ManagedInstance = "true" }
		46 |   )
		47 |   depends_on = [aws_security_group.ec2_sg_ebsdb]
		48 | }

Check: CKV_AWS_131: "Ensure that ALB drops HTTP headers"
	FAILED for resource: aws_lb.webgate_lb
	File: /ec2-oracle_webgate-alb.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-alb-drops-http-headers

		1  | resource "aws_lb" "webgate_lb" {
		2  |   name               = lower(format("lb-%s-webgate", local.application_name))
		3  |   internal           = true
		4  |   load_balancer_type = "application"
		5  |   security_groups    = [aws_security_group.sg_webgate_lb.id]
		6  |   subnets            = data.aws_subnets.shared-private.ids
		7  | 
		8  |   enable_deletion_protection = true
		9  | 
		10 |   access_logs {
		11 |     bucket  = module.s3-bucket-logging.bucket.id
		12 |     prefix  = local.lb_log_prefix_wgate_public
		13 |     enabled = true
		14 |   }
		15 | 
		16 |   tags = merge(local.tags,
		17 |     { Name = lower(format("lb-%s-webgate", local.application_name)) }
		18 |   )
		19 | }

Check: CKV_AWS_261: "Ensure HTTP HTTPS Target group defines Healthcheck"
	FAILED for resource: aws_lb_target_group.webgate_tg
	File: /ec2-oracle_webgate-alb.tf:38-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kendra-index-server-side-encryption-uses-customer-managed-keys-cmks

		38 | resource "aws_lb_target_group" "webgate_tg" {
		39 |   name     = lower(format("tg-%s-webgate", local.application_name))
		40 |   port     = 5401
		41 |   protocol = "HTTP"
		42 |   vpc_id   = data.aws_vpc.shared.id
		43 |   health_check {
		44 |     port     = 5401
		45 |     protocol = "HTTP"
		46 |     matcher  = 302
		47 |     timeout  = 10
		48 |   }
		49 | }

Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_135: "Ensure that EC2 is EBS optimized"
	FAILED for resource: aws_instance.ec2_webgate
	File: /ec2-oracle_webgate.tf:1-104
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ec2-is-ebs-optimized

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
	FAILED for resource: aws_efs_file_system.appshare
	File: /efs.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-104

		1 | resource "aws_efs_file_system" "appshare" {
		2 |   encrypted        = true
		3 |   throughput_mode  = "bursting"
		4 |   performance_mode = "maxIO"
		5 |   tags = merge(local.tags,
		6 |     { Name = "appshare" }
		7 |   )
		8 | }

Check: CKV_AWS_382: "Ensure no security groups allow egress from 0.0.0.0:0 to port -1"
	FAILED for resource: aws_security_group.efs-security-group
	File: /efs.tf:34-63

		34 | resource "aws_security_group" "efs-security-group" {
		35 |   name_prefix = "efs-security-group"
		36 |   description = "allow inbound access from ebsdb and ebsconc"
		37 |   vpc_id      = data.aws_vpc.shared.id
		38 | 
		39 |   # Allow inbound access from container instances	
		40 |   ingress {
		41 |     protocol  = "tcp"
		42 |     from_port = 2049
		43 |     to_port   = 2049
		44 |     cidr_blocks = [
		45 |       data.aws_subnet.data_subnets_a.cidr_block,
		46 |       data.aws_subnet.data_subnets_b.cidr_block,
		47 |       data.aws_subnet.data_subnets_c.cidr_block,
		48 |     ]
		49 |   }
		50 | 
		51 |   egress {
		52 |     protocol  = "-1"
		53 |     from_port = 0
		54 |     to_port   = 0
		55 |     cidr_blocks = [
		56 |       "0.0.0.0/0",
		57 |     ]
		58 |   }
		59 | 
		60 |   tags = merge(local.tags,
		61 |     { Name = lower(format("sg-%s-%s-efs", local.application_name, local.environment)) }
		62 |   )
		63 | }

Check: CKV_AWS_23: "Ensure every security group and rule has a description"
	FAILED for resource: aws_security_group.efs-security-group
	File: /efs.tf:34-63
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/networking-31

		34 | resource "aws_security_group" "efs-security-group" {
		35 |   name_prefix = "efs-security-group"
		36 |   description = "allow inbound access from ebsdb and ebsconc"
		37 |   vpc_id      = data.aws_vpc.shared.id
		38 | 
		39 |   # Allow inbound access from container instances	
		40 |   ingress {
		41 |     protocol  = "tcp"
		42 |     from_port = 2049
		43 |     to_port   = 2049
		44 |     cidr_blocks = [
		45 |       data.aws_subnet.data_subnets_a.cidr_block,
		46 |       data.aws_subnet.data_subnets_b.cidr_block,
		47 |       data.aws_subnet.data_subnets_c.cidr_block,
		48 |     ]
		49 |   }
		50 | 
		51 |   egress {
		52 |     protocol  = "-1"
		53 |     from_port = 0
		54 |     to_port   = 0
		55 |     cidr_blocks = [
		56 |       "0.0.0.0/0",
		57 |     ]
		58 |   }
		59 | 
		60 |   tags = merge(local.tags,
		61 |     { Name = lower(format("sg-%s-%s-efs", local.application_name, local.environment)) }
		62 |   )
		63 | }

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.ec2_operations_policy
	File: /iam.tf:249-273
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		249 | resource "aws_iam_policy" "ec2_operations_policy" {
		250 |   name        = "ec2_operations-${local.environment}"
		251 |   description = "Allows EC2 operations."
		252 | 
		253 |   policy = jsonencode(
		254 |     {
		255 |       "Version" : "2012-10-17",
		256 |       "Statement" : [
		257 |         {
		258 |           "Sid" : "EC2Operations",
		259 |           "Effect" : "Allow",
		260 |           "Action" : [
		261 |             "ec2:Describe*",
		262 |             "ec2:CreateSnapshot",
		263 |             "ec2:CreateSnapshots",
		264 |             "ec2:DeleteSnapshot",
		265 |             "ec2:CreateTags",
		266 |             "ec2:DeleteTags"
		267 |           ],
		268 |           "Resource" : "*"
		269 |         }
		270 |       ]
		271 |     }
		272 |   )
		273 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket
	File: /s3.tf:2-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-logging
	File: /s3.tf:96-162
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-dbbackup
	File: /s3.tf:186-252
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_365: "Ensure SES Configuration Set enforces TLS usage"
	FAILED for resource: aws_ses_configuration_set.default_configuration_set
	File: /ses.tf:35-43
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-365

		35 | resource "aws_ses_configuration_set" "default_configuration_set" {
		36 |   name = "default-configuration-set"
		37 | 
		38 |   delivery_options {
		39 |     tls_policy = "Optional"
		40 |   }
		41 |   reputation_metrics_enabled = true
		42 |   sending_enabled            = true
		43 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /sns.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name                    = "support_email_account"
		4 |   description             = "email address of the support account for cw alerts"
		5 |   recovery_window_in_days = local.is-production ? 30 : 0
		6 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.cw_alerts
	File: /sns.tf:18-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		18 | resource "aws_sns_topic" "cw_alerts" {
		19 |   name = "ccms-ebs-ec2-alerts"
		20 |   #kms_master_key_id = "alias/aws/sns"
		21 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.s3_topic
	File: /sns.tf:35-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		35 | resource "aws_sns_topic" "s3_topic" {
		36 |   name   = "s3-event-notification-topic"
		37 |   policy = data.aws_iam_policy_document.s3_topic_policy.json
		38 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.ddos_alarm
	File: /sns.tf:52-55
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		52 | resource "aws_sns_topic" "ddos_alarm" {
		53 |   name = format("%s_ddos_alarm", local.application_name)
		54 |   #kms_master_key_id = "alias/aws/sns"
		55 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.secret_ftp_s3
	File: /ccms-secrets.tf:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		3  | resource "aws_secretsmanager_secret" "secret_ftp_s3" {
		4  |   count       = local.is-test ? 1 : 0
		5  |   name        = "ftp-s3-${local.environment}-aws-key"
		6  |   description = "AWS credentials for mounting of s3 buckets for the FTP Service to access"
		7  | 
		8  |   tags = merge(local.tags,
		9  |     { Name = "ftp-s3-${local.environment}-aws-key" }
		10 |   )
		11 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.support_email_account
	File: /sns.tf:2-6
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		2 | resource "aws_secretsmanager_secret" "support_email_account" {
		3 |   name                    = "support_email_account"
		4 |   description             = "email address of the support account for cw alerts"
		5 |   recovery_window_in_days = local.is-production ? 30 : 0
		6 | }

Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
	FAILED for resource: aws_ssm_parameter.cw_agent_config
	File: /cloudwatch.tf:28-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted

		28 | resource "aws_ssm_parameter" "cw_agent_config" {
		29 |   description = "cloud watch agent config"
		30 |   name        = "cloud-watch-config"
		31 |   type        = "String"
		32 |   value       = file("./templates/cw_agent_config.json")
		33 | 
		34 |   tags = merge(local.tags,
		35 |     { Name = "cw-config" }
		36 |   )
		37 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.oracle_ec2
	File: /kms.tf:1-7
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		1 | resource "aws_kms_key" "oracle_ec2" {
		2 |   enable_key_rotation = true
		3 | 
		4 |   tags = merge(local.tags,
		5 |     { Name = "oracle_ec2" }
		6 |   )
		7 | }

Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /s3.tf:280-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		280 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		281 |   bucket = "${local.application_name}-${local.environment}-shared"
		282 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /s3.tf:280-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		280 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		281 |   bucket = "${local.application_name}-${local.environment}-shared"
		282 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /s3.tf:280-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		280 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		281 |   bucket = "${local.application_name}-${local.environment}-shared"
		282 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /s3.tf:280-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		280 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		281 |   bucket = "${local.application_name}-${local.environment}-shared"
		282 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /s3.tf:280-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		280 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		281 |   bucket = "${local.application_name}-${local.environment}-shared"
		282 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /s3.tf:280-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		280 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		281 |   bucket = "${local.application_name}-${local.environment}-shared"
		282 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.ccms_ebs_shared
	File: /s3.tf:280-282
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		280 | resource "aws_s3_bucket" "ccms_ebs_shared" {
		281 |   bucket = "${local.application_name}-${local.environment}-shared"
		282 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/ccms-ebs-upgrade

*****************************

Running tflint in terraform/environments/ccms-ebs-upgrade
Excluding the following checks: terraform_unused_declarations
5 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs-upgrade/ccms-ec2-ftp.tf line 24:
  24:     environment               = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs-upgrade/ccms-ec2-ftp.tf line 25:
  25:     lz_aws_account_id_env     = "${local.application_data.accounts[local.environment].lz_aws_account_id_env}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs-upgrade/ccms-ec2-ftp.tf line 26:
  26:     lz_ftp_bucket_environment = "${local.application_data.accounts[local.environment].lz_ftp_bucket_environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_conc.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/ccms-ebs-upgrade/ec2-oracle_ebs_db.tf line 31:
  31:     environment = "${local.environment}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/ccms-ebs-upgrade

*****************************

Running Trivy in terraform/environments/ccms-ebs-upgrade
2025-01-28T16:07:42Z	INFO	[vulndb] Need to update DB
2025-01-28T16:07:42Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-28T16:07:42Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-28T16:07:45Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-28T16:07:45Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-28T16:07:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-28T16:07:45Z	INFO	[misconfig] Need to update the built-in checks
2025-01-28T16:07:45Z	INFO	[misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-28T16:07:45Z	INFO	[secret] Secret scanning is enabled
2025-01-28T16:07:45Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-28T16:07:45Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-28T16:07:46Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-28T16:07:46Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-28T16:07:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_cloudwatch_log_group.groups" value="cty.NilVal"
2025-01-28T16:07:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_route53_record.external_validation" value="cty.NilVal"
2025-01-28T16:07:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_egress_traffic" value="cty.NilVal"
2025-01-28T16:07:46Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="aws_security_group_rule.all_internal_ingress_traffic" value="cty.NilVal"
2025-01-28T16:07:47Z	INFO	[terraform scanner] Scanning root module	file_path="modules"
2025-01-28T16:07:47Z	INFO	[terraform scanner] Scanning root module	file_path="modules/cw-logs"
2025-01-28T16:07:50Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:157-165"
2025-01-28T16:07:50Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-enable-versioning" range="github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v7.0.0/main.tf:170"
2025-01-28T16:07:51Z	INFO	Number of language-specific files	num=0
2025-01-28T16:07:51Z	INFO	Detected config files	num=21

ec2-oracle_accessgate.tf (terraform)
====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2-oracle_accessgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_accessgate" {
   2count                  = local.application_data.accounts[local.environment].accessgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_accessgate
   4ami                    = local.application_data.accounts[local.environment]["accessgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_accessgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ec2-oracle_ebs_apps-alb.tf (terraform)
======================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ec2-oracle_ebs_apps-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "ebsapps_lb" {
   2name               = lower(format("lb-%s-ebsapp", local.application_name))
   3internal           = true
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_ebsapps_lb.id]
   6subnets            = data.aws_subnets.shared-private.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────



ec2-oracle_ebs_apps.tf (terraform)
==================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2-oracle_ebs_apps.tf:1-50
────────────────────────────────────────
   1resource "aws_instance" "ec2_ebsapps" {
   2count                  = local.application_data.accounts[local.environment].ebsapps_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsapps
   4ami                    = local.application_data.accounts[local.environment]["ebsapps_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_ebsapps.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



ec2-oracle_ebs_conc.tf (terraform)
==================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2-oracle_ebs_conc.tf:1-48
────────────────────────────────────────
   1resource "aws_instance" "ec2_oracle_conc" {
   2count                       = local.application_data.accounts[local.environment].conc_no_instances
   3instance_type               = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsconc
   4ami                         = local.application_data.accounts[local.environment].ebsconc_ami_id
   5key_name                    = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsconc.id]
   7subnet_id                   = data.aws_subnet.data_subnets_a.id
   8monitoring                  = true
   9ebs_optimized               = local.application_data.accounts[local.environment].ebs_optimized
  ..   
────────────────────────────────────────



ec2-oracle_ebs_db.tf (terraform)
================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0131 (HIGH): Root block device is not encrypted.
════════════════════════════════════════
Block devices should be encrypted to ensure sensitive data is held securely at rest.


See https://avd.aquasec.com/misconfig/avd-aws-0131
────────────────────────────────────────
 ec2-oracle_ebs_db.tf:1-48
────────────────────────────────────────
   1resource "aws_instance" "ec2_oracle_ebs" {
   2instance_type = local.application_data.accounts[local.environment].ec2_oracle_instance_type_ebsdb
   3#ami                         = data.aws_ami.oracle_db.id
   4ami                         = local.application_data.accounts[local.environment].ebsdb_ami_id
   5key_name                    = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids      = [aws_security_group.ec2_sg_ebsdb.id]
   7subnet_id                   = data.aws_subnet.data_subnets_a.id
   8monitoring                  = true
   9ebs_optimized               = false
  ..   
────────────────────────────────────────



ec2-oracle_webgate-alb.tf (terraform)
=====================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0052 (HIGH): Application load balancer is not set to drop invalid headers.
════════════════════════════════════════
Passing unknown or invalid headers through to the target poses a potential risk of compromise.
By setting drop_invalid_header_fields to true, anything that does not conform to well known, defined headers will be removed by the load balancer.


See https://avd.aquasec.com/misconfig/avd-aws-0052
────────────────────────────────────────
 ec2-oracle_webgate-alb.tf:1-19
────────────────────────────────────────
   1resource "aws_lb" "webgate_lb" {
   2name               = lower(format("lb-%s-webgate", local.application_name))
   3internal           = true
   4load_balancer_type = "application"
   5security_groups    = [aws_security_group.sg_webgate_lb.id]
   6subnets            = data.aws_subnets.shared-private.ids
   78enable_deletion_protection = true
   9..   
────────────────────────────────────────



ec2-oracle_webgate.tf (terraform)
=================================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (HIGH: 1, CRITICAL: 0)

AVD-AWS-0028 (HIGH): Instance does not require IMDS access to require a token.
════════════════════════════════════════
IMDS v2 (Instance Metadata Service) introduced session authentication tokens which improve security when talking to IMDS.

By default <code>aws_instance</code> resource sets IMDS session auth tokens to be optional.

To fully protect IMDS you need to enable session tokens by using <code>metadata_options</code> block and its <code>http_tokens</code> variable set to <code>required</code>.


See https://avd.aquasec.com/misconfig/avd-aws-0028
────────────────────────────────────────
 ec2-oracle_webgate.tf:1-104
────────────────────────────────────────
   1resource "aws_instance" "ec2_webgate" {
   2count                  = local.application_data.accounts[local.environment].webgate_no_instances
   3instance_type          = local.application_data.accounts[local.environment].ec2_oracle_instance_type_webgate
   4ami                    = local.application_data.accounts[local.environment]["webgate_ami_id-${count.index + 1}"]
   5key_name               = local.application_data.accounts[local.environment].key_name
   6vpc_security_group_ids = [aws_security_group.ec2_sg_webgate.id]
   7subnet_id              = local.private_subnets[count.index]
   8#subnet_id                   = data.aws_subnet.data_subnets_a.id
   9monitoring                  = true
  ..   
────────────────────────────────────────



s3.tf (terraform)
=================
Tests: 4 (SUCCESSES: 0, FAILURES: 4)
Failures: 4 (HIGH: 4, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 s3.tf:280-282
────────────────────────────────────────
 280resource "aws_s3_bucket" "ccms_ebs_shared" {
 281bucket = "${local.application_name}-${local.environment}-shared"
 282 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 s3.tf:280-282
────────────────────────────────────────
 280resource "aws_s3_bucket" "ccms_ebs_shared" {
 281bucket = "${local.application_name}-${local.environment}-shared"
 282 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 s3.tf:280-282
────────────────────────────────────────
 280resource "aws_s3_bucket" "ccms_ebs_shared" {
 281bucket = "${local.application_name}-${local.environment}-shared"
 282 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 s3.tf:280-282
────────────────────────────────────────
 280resource "aws_s3_bucket" "ccms_ebs_shared" {
 281bucket = "${local.application_name}-${local.environment}-shared"
 282 └ }
────────────────────────────────────────


trivy_exitcode=1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mmgovuk mmgovuk mmgovuk approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@SahidKhan89 @mmgovuk