modernisation-platform
modernisation-platform copied to clipboard
ministryofjustice
:fr: Enabling Paris II: Rebaselining
A reference to the issue / Description of it
https://github.com/ministryofjustice/modernisation-platform/issues/6917 https://github.com/ministryofjustice/data-platform/issues/4222
Analytical Platform had a customer request to make Bedrock available in Paris due to model selection being better than Frankfurt. The region is not currently used and therefore bootstrapped on MP.
How does this PR fix the problem?
This updates provider definitions and adds eu-west-3 to enabled regions. The last attempt had failed due to sprinkler not having been enrolled in SecurityHub at the org level. sprinkler and other accounts have now been enrolled and future accounts will be enrolled automatically.
How has this been tested?
Last attempt failed on apply to sprinkler step during the initial PR checks. The main test is running the secure-baselines component on sprinkler again.
Deployment Plan / Instructions
This shouldn't impact live services. However, it will break further secure-baselines run if the apply on sprinkler fails. The backout steps are here
{Please write here}
Checklist (check x in [ ] of list items)
- [X] I have performed a self-review of my own code
- [X] All checks have passed
- [X] I have made corresponding changes to the documentation
- [ ] Plan and discussed how it should be deployed to PROD (If needed)
Additional comments (if any)
{Please write here}
Trivy Scan Failed
Show Output
```hclTrivy will check the following folders: terraform/environments/bootstrap/secure-baselines terraform/modernisation-platform-account
Running Trivy in terraform/environments/bootstrap/secure-baselines 2024-05-10T07:31:28Z INFO Need to update DB 2024-05-10T07:31:28Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2" 2024-05-10T07:31:30Z INFO Vulnerability scanning is enabled 2024-05-10T07:31:30Z INFO Misconfiguration scanning is enabled 2024-05-10T07:31:30Z INFO Need to update the built-in policies 2024-05-10T07:31:30Z INFO Downloading the built-in policies... 50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-10T07:31:31Z INFO Secret scanning is enabled 2024-05-10T07:31:31Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-05-10T07:31:31Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection 2024-05-10T07:31:34Z INFO Number of language-specific files num=0 2024-05-10T07:31:34Z INFO Detected config files num=8
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b/config.tf (terraform)
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1) Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b/modules/cloudtrail/main.tf (terraform)
Tests: 5 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 2) Failures: 0 (HIGH: 0, CRITICAL: 0)
trivy_exitcode=0
Running Trivy in terraform/modernisation-platform-account 2024-05-10T07:31:34Z INFO Vulnerability scanning is enabled 2024-05-10T07:31:34Z INFO Misconfiguration scanning is enabled 2024-05-10T07:31:34Z INFO Secret scanning is enabled 2024-05-10T07:31:34Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-05-10T07:31:34Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection 2024-05-10T07:32:04Z INFO Number of language-specific files num=0 2024-05-10T07:32:04Z INFO Detected config files num=22
../modules/collaborators/main.tf (terraform)
Tests: 24 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 24) Failures: 0 (HIGH: 0, CRITICAL: 0)
git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-group-with-policies/policies.tf (terraform)
Tests: 49 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 49) Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf (terraform)
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1) Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf (terraform)
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0) Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Bucket does not encrypt data with a customer managed key. ════════════════════════════════════════ Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:103-153 (module.config-bucket) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" { 158 │ bucket = aws_s3_bucket.default.id 159 │ rule { 160 │ apply_server_side_encryption_by_default { 161 │ sse_algorithm = var.sse_algorithm 162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : "" 163 │ } 164 │ } 165 └ } ────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf (terraform)
Tests: 10 (SUCCESSES: 5, FAILURES: 5, EXCEPTIONS: 0) Failures: 5 (HIGH: 5, CRITICAL: 0)
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:98-107 (module.backup-eu-central-1["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 119 resource "aws_sns_topic" "backup_failure_topic" { 120 [ kms_master_key_id = var.sns_backup_topic_key 121 name = "backup_failure_topic" 122 tags = merge(var.tags, { 123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions" 124 }) 125 } ────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:164-173 (module.backup-us-east-1["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 119 resource "aws_sns_topic" "backup_failure_topic" { 120 [ kms_master_key_id = var.sns_backup_topic_key 121 name = "backup_failure_topic" 122 tags = merge(var.tags, { 123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions" 124 }) 125 } ────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:142-151 (module.backup-eu-west-3["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 119 resource "aws_sns_topic" "backup_failure_topic" { 120 [ kms_master_key_id = var.sns_backup_topic_key 121 name = "backup_failure_topic" 122 tags = merge(var.tags, { 123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions" 124 }) 125 } ────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:131-140 (module.backup-eu-west-2["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 119 resource "aws_sns_topic" "backup_failure_topic" { 120 [ kms_master_key_id = var.sns_backup_topic_key 121 name = "backup_failure_topic" 122 tags = merge(var.tags, { 123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions" 124 }) 125 } ────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:120-129 (module.backup-eu-west-1["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 119 resource "aws_sns_topic" "backup_failure_topic" { 120 [ kms_master_key_id = var.sns_backup_topic_key 121 name = "backup_failure_topic" 122 tags = merge(var.tags, { 123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions" 124 }) 125 } ────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/cloudtrail/main.tf (terraform)
Tests: 5 (SUCCESSES: 4, FAILURES: 0, EXCEPTIONS: 1) Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf (terraform)
Tests: 10 (SUCCESSES: 5, FAILURES: 5, EXCEPTIONS: 0) Failures: 5 (HIGH: 5, CRITICAL: 0)
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:334-351 (module.config-eu-central-1["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 38 resource "aws_sns_topic" "default" { 39 name = "config" 40 [ kms_master_key_id = "alias/aws/sns" 41 tags = var.tags 42 } ────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:372-389 (module.config-eu-west-1["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 38 resource "aws_sns_topic" "default" { 39 name = "config" 40 [ kms_master_key_id = "alias/aws/sns" 41 tags = var.tags 42 } ────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:391-408 (module.config-eu-west-2["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 38 resource "aws_sns_topic" "default" { 39 name = "config" 40 [ kms_master_key_id = "alias/aws/sns" 41 tags = var.tags 42 } ────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:410-427 (module.config-eu-west-3["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 38 resource "aws_sns_topic" "default" { 39 name = "config" 40 [ kms_master_key_id = "alias/aws/sns" 41 tags = var.tags 42 } ────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key. ════════════════════════════════════════ Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136 ──────────────────────────────────────── github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40 via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default) via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:448-465 (module.config-us-east-1["enabled"]) via baselines.tf:19-67 (module.baselines-modernisation-platform) ──────────────────────────────────────── 38 resource "aws_sns_topic" "default" { 39 name = "config" 40 [ kms_master_key_id = "alias/aws/sns" 41 tags = var.tags 42 } ────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5/github.com/terraform-aws-modules/terraform-aws-iam.git/modules/iam-group-with-policies?ref=25e2bf9f9f4757a7014b55db981be9d2beeab445/policies.tf (terraform)
Tests: 44 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 44) Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5/main.tf (terraform)
Tests: 39 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 39) Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7/main.tf (terraform)
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1) Failures: 0 (HIGH: 0, CRITICAL: 0)
iam.tf (terraform)
Tests: 5 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 5) Failures: 0 (HIGH: 0, CRITICAL: 0)
trivy_exitcode=1
</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>
```hcl
*****************************
Checkov will check the following folders:
terraform/environments/bootstrap/secure-baselines terraform/modernisation-platform-account
*****************************
Running Checkov in terraform/environments/bootstrap/secure-baselines
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-10 07:32:06,831 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 9, Failed checks: 0, Skipped checks: 0
checkov_exitcode=0
*****************************
Running Checkov in terraform/modernisation-platform-account
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-10 07:32:10,420 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5:None (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,420 [MainThread ] [WARNI] Failed to download module terraform-aws-modules/iam/aws//modules/iam-group-with-policies:~> 5.0 (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,420 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,420 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7:None (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,421 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-05-10 07:32:10,421 [MainThread ] [WARNI] Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14:None (for external modules, the --download-external-modules flag is required)
terraform scan results:
Passed checks: 207, Failed checks: 0, Skipped checks: 22
checkov_exitcode=0
CTFLint Scan Success
Show Output
*****************************
Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/bootstrap/secure-baselines terraform/modernisation-platform-account
*****************************
Running tflint in terraform/environments/bootstrap/secure-baselines
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
*****************************
Running tflint in terraform/modernisation-platform-account
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0
Trivy Scan Failed
Show Output
*****************************
Trivy will check the following folders:
terraform/environments/bootstrap/secure-baselines terraform/modernisation-platform-account
*****************************
Running Trivy in terraform/environments/bootstrap/secure-baselines
2024-05-10T07:31:28Z INFO Need to update DB
2024-05-10T07:31:28Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-10T07:31:30Z INFO Vulnerability scanning is enabled
2024-05-10T07:31:30Z INFO Misconfiguration scanning is enabled
2024-05-10T07:31:30Z INFO Need to update the built-in policies
2024-05-10T07:31:30Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-10T07:31:31Z INFO Secret scanning is enabled
2024-05-10T07:31:31Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T07:31:31Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T07:31:34Z INFO Number of language-specific files num=0
2024-05-10T07:31:34Z INFO Detected config files num=8
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b/config.tf (terraform)
==========================================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=2a59110767bd30e949b242818da7dbe72fe9481b/modules/cloudtrail/main.tf (terraform)
===========================================================================================================================================================
Tests: 5 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)
trivy_exitcode=0
*****************************
Running Trivy in terraform/modernisation-platform-account
2024-05-10T07:31:34Z INFO Vulnerability scanning is enabled
2024-05-10T07:31:34Z INFO Misconfiguration scanning is enabled
2024-05-10T07:31:34Z INFO Secret scanning is enabled
2024-05-10T07:31:34Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-10T07:31:34Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-10T07:32:04Z INFO Number of language-specific files num=0
2024-05-10T07:32:04Z INFO Detected config files num=22
../modules/collaborators/main.tf (terraform)
============================================
Tests: 24 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 24)
Failures: 0 (HIGH: 0, CRITICAL: 0)
git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-group-with-policies/policies.tf (terraform)
===================================================================================================================================================================
Tests: 49 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 49)
Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf (terraform)
==========================================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf (terraform)
=============================================================================================================================================================================================================================================================
Tests: 7 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 0)
Failures: 1 (HIGH: 1, CRITICAL: 0)
HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.
See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:103-153 (module.config-bucket)
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
157 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "default" {
158 │ bucket = aws_s3_bucket.default.id
159 │ rule {
160 │ apply_server_side_encryption_by_default {
161 │ sse_algorithm = var.sse_algorithm
162 │ kms_master_key_id = (var.custom_kms_key != "") ? var.custom_kms_key : ""
163 │ }
164 │ }
165 └ }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf (terraform)
=======================================================================================================================================================
Tests: 10 (SUCCESSES: 5, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:98-107 (module.backup-eu-central-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:164-173 (module.backup-us-east-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:142-151 (module.backup-eu-west-3["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:131-140 (module.backup-eu-west-2["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:120
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/backup/main.tf:119-125 (aws_sns_topic.backup_failure_topic)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/backup.tf:120-129 (module.backup-eu-west-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
119 resource "aws_sns_topic" "backup_failure_topic" {
120 [ kms_master_key_id = var.sns_backup_topic_key
121 name = "backup_failure_topic"
122 tags = merge(var.tags, {
123 Description = "This backup topic is so the MP team can subscribe to backup notifications from selected accounts and teams using member-unrestricted accounts can create their own subscriptions"
124 })
125 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/cloudtrail/main.tf (terraform)
===========================================================================================================================================================
Tests: 5 (SUCCESSES: 4, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf (terraform)
=======================================================================================================================================================
Tests: 10 (SUCCESSES: 5, FAILURES: 5, EXCEPTIONS: 0)
Failures: 5 (HIGH: 5, CRITICAL: 0)
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:334-351 (module.config-eu-central-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:372-389 (module.config-eu-west-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:391-408 (module.config-eu-west-2["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:410-427 (module.config-eu-west-3["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────
HIGH: Topic encryption does not use a customer managed key.
════════════════════════════════════════
Topics should be encrypted with customer managed KMS keys and not default AWS managed keys, in order to allow granular key management.
See https://avd.aquasec.com/misconfig/avd-aws-0136
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:40
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/modules/config/main.tf:38-42 (aws_sns_topic.default)
via github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=b5ae2be29aaa29d644b6909af51acefdfaa80e14/config.tf:448-465 (module.config-us-east-1["enabled"])
via baselines.tf:19-67 (module.baselines-modernisation-platform)
────────────────────────────────────────
38 resource "aws_sns_topic" "default" {
39 name = "config"
40 [ kms_master_key_id = "alias/aws/sns"
41 tags = var.tags
42 }
────────────────────────────────────────
github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5/github.com/terraform-aws-modules/terraform-aws-iam.git/modules/iam-group-with-policies?ref=25e2bf9f9f4757a7014b55db981be9d2beeab445/policies.tf (terraform)
======================================================================================================================================================================================================================================================================================
Tests: 44 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 44)
Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=9ba93858510a46312a36cd40a2afae2eedf68ca5/main.tf (terraform)
==============================================================================================================================================
Tests: 39 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 39)
Failures: 0 (HIGH: 0, CRITICAL: 0)
github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7/main.tf (terraform)
=========================================================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)
iam.tf (terraform)
==================
Tests: 5 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 5)
Failures: 0 (HIGH: 0, CRITICAL: 0)
trivy_exitcode=1
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}