Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stream logs from CloudWatch to S3 bucket in core-logging account #7705

Merged
merged 11 commits into from
Aug 19, 2024
Merged

Stream logs from CloudWatch to S3 bucket in core-logging account #7705

merged 11 commits into from
Aug 19, 2024

Conversation

dms1981
Copy link
Contributor

@dms1981 dms1981 commented Aug 16, 2024

A reference to the issue / Description of it

#7607

How does this PR fix the problem?

  • Creates an S3 bucket in the core-logging account, along with an SQS notification queue.
  • Creates a module to set up the necessary roles, data streams, and log filter subscriptions to send logs from CloudWatch to a destination bucket.

How has this been tested?

Ran Terraform Plan locally, but this will only create the core-logging resources and then allow tests of the CloudWatch log streaming module before a later PR implements it.

Deployment Plan / Instructions

Deploy through CI

Checklist (check x in [ ] of list items)

  • I have performed a self-review of my own code
  • All checks have passed
  • I have made corresponding changes to the documentation
  • Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

This PR should put things in place to allow me to then test streaming logs from CloudWatch log groups in, say, core-vpc-sandbox. It doesn't remove any existing use of kinesis, nor does it change any existing logging functionality.

@github-actions github-actions bot added the core label Aug 16, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

Running Trivy in terraform/environments/core-logging
2024-08-16T12:45:59Z INFO [db] Need to update DB
2024-08-16T12:45:59Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T12:46:02Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T12:46:02Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T12:46:02Z INFO Need to update the built-in policies
2024-08-16T12:46:02Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T12:46:02Z INFO [secret] Secret scanning is enabled
2024-08-16T12:46:02Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T12:46:02Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T12:46:06Z INFO Number of language-specific files num=1
2024-08-16T12:46:06Z INFO [gomod] Detecting vulnerabilities...
2024-08-16T12:46:06Z INFO Detected config files num=10

cortex.tf (terraform)

Tests: 10 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
cortex.tf:72-75
────────────────────────────────────────
72 ┌ resource "aws_s3_bucket" "logging" {
73 │ bucket_prefix = terraform.workspace
74 │ tags = local.tags
75 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
cortex.tf:72-75
────────────────────────────────────────
72 ┌ resource "aws_s3_bucket" "logging" {
73 │ bucket_prefix = terraform.workspace
74 │ tags = local.tags
75 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
cortex.tf:72-75
────────────────────────────────────────
72 ┌ resource "aws_s3_bucket" "logging" {
73 │ bucket_prefix = terraform.workspace
74 │ tags = local.tags
75 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
cortex.tf:72-75
────────────────────────────────────────
72 ┌ resource "aws_s3_bucket" "logging" {
73 │ bucket_prefix = terraform.workspace
74 │ tags = local.tags
75 └ }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T12:46:07Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T12:46:07Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T12:46:07Z INFO [secret] Secret scanning is enabled
2024-08-16T12:46:07Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T12:46:07Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T12:46:07Z INFO Number of language-specific files num=0
2024-08-16T12:46:07Z INFO Detected config files num=2
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Checkov in terraform/environments/core-logging
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-16 12:46:10,858 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-08-16 12:46:10,858 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab519b10a7d28dfa3b77d407725db6b37614a:None (for external modules, the --download-external-modules flag is required)
2024-08-16 12:46:10,858 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 526, Failed checks: 5, Skipped checks: 192

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.example
	File: /cortex.tf:82-93
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		82 | resource "aws_s3_bucket_lifecycle_configuration" "example" {
		83 |   bucket = aws_s3_bucket.logging.id
		84 | 
		85 |   rule {
		86 |     id = "rule-1"
		87 |     filter {}
		88 |     expiration {
		89 |       days = 14
		90 |     }
		91 |     status = "Enabled"
		92 |   }
		93 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		72 | resource "aws_s3_bucket" "logging" {
		73 |   bucket_prefix = terraform.workspace
		74 |   tags          = local.tags
		75 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		72 | resource "aws_s3_bucket" "logging" {
		73 |   bucket_prefix = terraform.workspace
		74 |   tags          = local.tags
		75 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		72 | resource "aws_s3_bucket" "logging" {
		73 |   bucket_prefix = terraform.workspace
		74 |   tags          = local.tags
		75 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		72 | resource "aws_s3_bucket" "logging" {
		73 |   bucket_prefix = terraform.workspace
		74 |   tags          = local.tags
		75 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/cloudwatch-firehose
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 60, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_241: "Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK"
	FAILED for resource: aws_kinesis_firehose_delivery_stream.firehose-to-s3
	File: /main.tf:39-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehose-delivery-streams-are-encrypted-with-cmk

		39 | resource "aws_kinesis_firehose_delivery_stream" "firehose-to-s3" {
		40 |   destination = "extended_s3"
		41 |   name        = "cloudwatch-to-s3-${random_id.name.hex}"
		42 | 
		43 |   extended_s3_configuration {
		44 |     bucket_arn = var.destination_bucket_arn
		45 |     role_arn   = aws_iam_role.firehose-to-s3.arn
		46 | 
		47 |     prefix              = "logs/!{partitionKeyFromQuery:logGroupName}/"
		48 |     error_output_prefix = "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/"
		49 | 
		50 |     buffer_size     = 64
		51 |     buffer_interval = 60
		52 | 
		53 |     dynamic_partitioning_configuration {
		54 |       enabled = true
		55 |     }
		56 | 
		57 |     processing_configuration {
		58 |       enabled = true
		59 | 
		60 |       processors {
		61 |         type = "MetadataExtraction"
		62 |         parameters {
		63 |           parameter_name  = "JsonParsingEngine"
		64 |           parameter_value = "JQ"
		65 |         }
		66 |         parameters {
		67 |           parameter_name  = "MetadataExtractionQuery"
		68 |           parameter_value = "{logGroupName:.logGroup}"
		69 |         }
		70 |       }
		71 |     }
		72 |   }
		73 | 
		74 |   tags = var.tags
		75 | }

Check: CKV_AWS_240: "Ensure Kinesis Firehose delivery stream is encrypted"
	FAILED for resource: aws_kinesis_firehose_delivery_stream.firehose-to-s3
	File: /main.tf:39-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehoses-delivery-stream-is-encrypted

		39 | resource "aws_kinesis_firehose_delivery_stream" "firehose-to-s3" {
		40 |   destination = "extended_s3"
		41 |   name        = "cloudwatch-to-s3-${random_id.name.hex}"
		42 | 
		43 |   extended_s3_configuration {
		44 |     bucket_arn = var.destination_bucket_arn
		45 |     role_arn   = aws_iam_role.firehose-to-s3.arn
		46 | 
		47 |     prefix              = "logs/!{partitionKeyFromQuery:logGroupName}/"
		48 |     error_output_prefix = "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/"
		49 | 
		50 |     buffer_size     = 64
		51 |     buffer_interval = 60
		52 | 
		53 |     dynamic_partitioning_configuration {
		54 |       enabled = true
		55 |     }
		56 | 
		57 |     processing_configuration {
		58 |       enabled = true
		59 | 
		60 |       processors {
		61 |         type = "MetadataExtraction"
		62 |         parameters {
		63 |           parameter_name  = "JsonParsingEngine"
		64 |           parameter_value = "JQ"
		65 |         }
		66 |         parameters {
		67 |           parameter_name  = "MetadataExtractionQuery"
		68 |           parameter_value = "{logGroupName:.logGroup}"
		69 |         }
		70 |       }
		71 |     }
		72 |   }
		73 | 
		74 |   tags = var.tags
		75 | }


checkov_exitcode=2

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running tflint in terraform/environments/core-logging
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/cloudwatch-firehose
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Trivy in terraform/environments/core-logging
2024-08-16T12:45:59Z	INFO	[db] Need to update DB
2024-08-16T12:45:59Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T12:46:02Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T12:46:02Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T12:46:02Z	INFO	Need to update the built-in policies
2024-08-16T12:46:02Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T12:46:02Z	INFO	[secret] Secret scanning is enabled
2024-08-16T12:46:02Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T12:46:02Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T12:46:06Z	INFO	Number of language-specific files	num=1
2024-08-16T12:46:06Z	INFO	[gomod] Detecting vulnerabilities...
2024-08-16T12:46:06Z	INFO	Detected config files	num=10

cortex.tf (terraform)
=====================
Tests: 10 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 cortex.tf:72-75
────────────────────────────────────────
  72resource "aws_s3_bucket" "logging" {
  73bucket_prefix = terraform.workspace
  74tags          = local.tags
  75 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 cortex.tf:72-75
────────────────────────────────────────
  72resource "aws_s3_bucket" "logging" {
  73bucket_prefix = terraform.workspace
  74tags          = local.tags
  75 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 cortex.tf:72-75
────────────────────────────────────────
  72resource "aws_s3_bucket" "logging" {
  73bucket_prefix = terraform.workspace
  74tags          = local.tags
  75 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 cortex.tf:72-75
────────────────────────────────────────
  72resource "aws_s3_bucket" "logging" {
  73bucket_prefix = terraform.workspace
  74tags          = local.tags
  75 └ }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T12:46:07Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T12:46:07Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T12:46:07Z	INFO	[secret] Secret scanning is enabled
2024-08-16T12:46:07Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T12:46:07Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T12:46:07Z	INFO	Number of language-specific files	num=0
2024-08-16T12:46:07Z	INFO	Detected config files	num=2
trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

Running Trivy in terraform/environments/core-logging
2024-08-16T12:50:55Z INFO [db] Need to update DB
2024-08-16T12:50:55Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T12:50:57Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T12:50:57Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T12:50:57Z INFO Need to update the built-in policies
2024-08-16T12:50:57Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T12:50:57Z INFO [secret] Secret scanning is enabled
2024-08-16T12:50:57Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T12:50:57Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T12:51:01Z INFO Number of language-specific files num=1
2024-08-16T12:51:01Z INFO [gomod] Detecting vulnerabilities...
2024-08-16T12:51:01Z INFO Detected config files num=10

cortex.tf (terraform)

Tests: 10 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.

See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
cortex.tf:72-75
────────────────────────────────────────
72 ┌ resource "aws_s3_bucket" "logging" {
73 │ bucket_prefix = terraform.workspace
74 │ tags = local.tags
75 └ }
────────────────────────────────────────

HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.

See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
cortex.tf:72-75
────────────────────────────────────────
72 ┌ resource "aws_s3_bucket" "logging" {
73 │ bucket_prefix = terraform.workspace
74 │ tags = local.tags
75 └ }
────────────────────────────────────────

HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.

See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
cortex.tf:72-75
────────────────────────────────────────
72 ┌ resource "aws_s3_bucket" "logging" {
73 │ bucket_prefix = terraform.workspace
74 │ tags = local.tags
75 └ }
────────────────────────────────────────

HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
cortex.tf:72-75
────────────────────────────────────────
72 ┌ resource "aws_s3_bucket" "logging" {
73 │ bucket_prefix = terraform.workspace
74 │ tags = local.tags
75 └ }
────────────────────────────────────────

trivy_exitcode=1

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T12:51:01Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T12:51:01Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T12:51:01Z INFO [secret] Secret scanning is enabled
2024-08-16T12:51:01Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T12:51:01Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T12:51:02Z INFO Number of language-specific files num=0
2024-08-16T12:51:02Z INFO Detected config files num=2
trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Checkov in terraform/environments/core-logging
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-16 12:51:04,583 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-08-16 12:51:04,583 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab519b10a7d28dfa3b77d407725db6b37614a:None (for external modules, the --download-external-modules flag is required)
2024-08-16 12:51:04,583 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 526, Failed checks: 5, Skipped checks: 192

Check: CKV_AWS_300: "Ensure S3 lifecycle configuration sets period for aborting failed uploads"
	FAILED for resource: aws_s3_bucket_lifecycle_configuration.example
	File: /cortex.tf:82-93
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-300

		82 | resource "aws_s3_bucket_lifecycle_configuration" "example" {
		83 |   bucket = aws_s3_bucket.logging.id
		84 | 
		85 |   rule {
		86 |     id = "rule-1"
		87 |     filter {}
		88 |     expiration {
		89 |       days = 14
		90 |     }
		91 |     status = "Enabled"
		92 |   }
		93 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		72 | resource "aws_s3_bucket" "logging" {
		73 |   bucket_prefix = terraform.workspace
		74 |   tags          = local.tags
		75 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		72 | resource "aws_s3_bucket" "logging" {
		73 |   bucket_prefix = terraform.workspace
		74 |   tags          = local.tags
		75 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		72 | resource "aws_s3_bucket" "logging" {
		73 |   bucket_prefix = terraform.workspace
		74 |   tags          = local.tags
		75 | }

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

		72 | resource "aws_s3_bucket" "logging" {
		73 |   bucket_prefix = terraform.workspace
		74 |   tags          = local.tags
		75 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/cloudwatch-firehose
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 60, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_241: "Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK"
	FAILED for resource: aws_kinesis_firehose_delivery_stream.firehose-to-s3
	File: /main.tf:39-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehose-delivery-streams-are-encrypted-with-cmk

		39 | resource "aws_kinesis_firehose_delivery_stream" "firehose-to-s3" {
		40 |   destination = "extended_s3"
		41 |   name        = "cloudwatch-to-s3-${random_id.name.hex}"
		42 | 
		43 |   extended_s3_configuration {
		44 |     bucket_arn = var.destination_bucket_arn
		45 |     role_arn   = aws_iam_role.firehose-to-s3.arn
		46 | 
		47 |     prefix              = "logs/!{partitionKeyFromQuery:logGroupName}/"
		48 |     error_output_prefix = "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/"
		49 | 
		50 |     buffer_size     = 64
		51 |     buffer_interval = 60
		52 | 
		53 |     dynamic_partitioning_configuration {
		54 |       enabled = true
		55 |     }
		56 | 
		57 |     processing_configuration {
		58 |       enabled = true
		59 | 
		60 |       processors {
		61 |         type = "MetadataExtraction"
		62 |         parameters {
		63 |           parameter_name  = "JsonParsingEngine"
		64 |           parameter_value = "JQ"
		65 |         }
		66 |         parameters {
		67 |           parameter_name  = "MetadataExtractionQuery"
		68 |           parameter_value = "{logGroupName:.logGroup}"
		69 |         }
		70 |       }
		71 |     }
		72 |   }
		73 | 
		74 |   tags = var.tags
		75 | }

Check: CKV_AWS_240: "Ensure Kinesis Firehose delivery stream is encrypted"
	FAILED for resource: aws_kinesis_firehose_delivery_stream.firehose-to-s3
	File: /main.tf:39-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehoses-delivery-stream-is-encrypted

		39 | resource "aws_kinesis_firehose_delivery_stream" "firehose-to-s3" {
		40 |   destination = "extended_s3"
		41 |   name        = "cloudwatch-to-s3-${random_id.name.hex}"
		42 | 
		43 |   extended_s3_configuration {
		44 |     bucket_arn = var.destination_bucket_arn
		45 |     role_arn   = aws_iam_role.firehose-to-s3.arn
		46 | 
		47 |     prefix              = "logs/!{partitionKeyFromQuery:logGroupName}/"
		48 |     error_output_prefix = "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/"
		49 | 
		50 |     buffer_size     = 64
		51 |     buffer_interval = 60
		52 | 
		53 |     dynamic_partitioning_configuration {
		54 |       enabled = true
		55 |     }
		56 | 
		57 |     processing_configuration {
		58 |       enabled = true
		59 | 
		60 |       processors {
		61 |         type = "MetadataExtraction"
		62 |         parameters {
		63 |           parameter_name  = "JsonParsingEngine"
		64 |           parameter_value = "JQ"
		65 |         }
		66 |         parameters {
		67 |           parameter_name  = "MetadataExtractionQuery"
		68 |           parameter_value = "{logGroupName:.logGroup}"
		69 |         }
		70 |       }
		71 |     }
		72 |   }
		73 | 
		74 |   tags = var.tags
		75 | }


checkov_exitcode=2

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running tflint in terraform/environments/core-logging
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/cloudwatch-firehose
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Trivy in terraform/environments/core-logging
2024-08-16T12:50:55Z	INFO	[db] Need to update DB
2024-08-16T12:50:55Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T12:50:57Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T12:50:57Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T12:50:57Z	INFO	Need to update the built-in policies
2024-08-16T12:50:57Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T12:50:57Z	INFO	[secret] Secret scanning is enabled
2024-08-16T12:50:57Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T12:50:57Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T12:51:01Z	INFO	Number of language-specific files	num=1
2024-08-16T12:51:01Z	INFO	[gomod] Detecting vulnerabilities...
2024-08-16T12:51:01Z	INFO	Detected config files	num=10

cortex.tf (terraform)
=====================
Tests: 10 (SUCCESSES: 5, FAILURES: 4, EXCEPTIONS: 1)
Failures: 4 (HIGH: 4, CRITICAL: 0)

HIGH: No public access block so not blocking public acls
════════════════════════════════════════

S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 cortex.tf:72-75
────────────────────────────────────────
  72resource "aws_s3_bucket" "logging" {
  73bucket_prefix = terraform.workspace
  74tags          = local.tags
  75 └ }
────────────────────────────────────────


HIGH: No public access block so not blocking public policies
════════════════════════════════════════

S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 cortex.tf:72-75
────────────────────────────────────────
  72resource "aws_s3_bucket" "logging" {
  73bucket_prefix = terraform.workspace
  74tags          = local.tags
  75 └ }
────────────────────────────────────────


HIGH: No public access block so not ignoring public acls
════════════════════════════════════════

S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 cortex.tf:72-75
────────────────────────────────────────
  72resource "aws_s3_bucket" "logging" {
  73bucket_prefix = terraform.workspace
  74tags          = local.tags
  75 └ }
────────────────────────────────────────


HIGH: No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.

See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 cortex.tf:72-75
────────────────────────────────────────
  72resource "aws_s3_bucket" "logging" {
  73bucket_prefix = terraform.workspace
  74tags          = local.tags
  75 └ }
────────────────────────────────────────


trivy_exitcode=1

*****************************

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T12:51:01Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T12:51:01Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T12:51:01Z	INFO	[secret] Secret scanning is enabled
2024-08-16T12:51:01Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T12:51:01Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T12:51:02Z	INFO	Number of language-specific files	num=0
2024-08-16T12:51:02Z	INFO	Detected config files	num=2
trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

Running Trivy in terraform/environments/core-logging
2024-08-16T13:45:18Z INFO [db] Need to update DB
2024-08-16T13:45:18Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T13:45:20Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T13:45:20Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T13:45:20Z INFO Need to update the built-in policies
2024-08-16T13:45:20Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T13:45:20Z INFO [secret] Secret scanning is enabled
2024-08-16T13:45:20Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T13:45:20Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T13:45:23Z INFO Number of language-specific files num=1
2024-08-16T13:45:23Z INFO [gomod] Detecting vulnerabilities...
2024-08-16T13:45:23Z INFO Detected config files num=10
trivy_exitcode=0

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T13:45:24Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T13:45:24Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T13:45:24Z INFO [secret] Secret scanning is enabled
2024-08-16T13:45:24Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T13:45:24Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T13:45:24Z INFO Number of language-specific files num=0
2024-08-16T13:45:24Z INFO Detected config files num=2
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Checkov in terraform/environments/core-logging
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-16 13:45:27,254 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-08-16 13:45:27,254 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab519b10a7d28dfa3b77d407725db6b37614a:None (for external modules, the --download-external-modules flag is required)
2024-08-16 13:45:27,254 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 532, Failed checks: 3, Skipped checks: 192

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/cloudwatch-firehose
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 60, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_241: "Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK"
	FAILED for resource: aws_kinesis_firehose_delivery_stream.firehose-to-s3
	File: /main.tf:39-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehose-delivery-streams-are-encrypted-with-cmk

		39 | resource "aws_kinesis_firehose_delivery_stream" "firehose-to-s3" {
		40 |   destination = "extended_s3"
		41 |   name        = "cloudwatch-to-s3-${random_id.name.hex}"
		42 | 
		43 |   extended_s3_configuration {
		44 |     bucket_arn = var.destination_bucket_arn
		45 |     role_arn   = aws_iam_role.firehose-to-s3.arn
		46 | 
		47 |     prefix              = "logs/!{partitionKeyFromQuery:logGroupName}/"
		48 |     error_output_prefix = "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/"
		49 | 
		50 |     buffer_size     = 64
		51 |     buffer_interval = 60
		52 | 
		53 |     dynamic_partitioning_configuration {
		54 |       enabled = true
		55 |     }
		56 | 
		57 |     processing_configuration {
		58 |       enabled = true
		59 | 
		60 |       processors {
		61 |         type = "MetadataExtraction"
		62 |         parameters {
		63 |           parameter_name  = "JsonParsingEngine"
		64 |           parameter_value = "JQ"
		65 |         }
		66 |         parameters {
		67 |           parameter_name  = "MetadataExtractionQuery"
		68 |           parameter_value = "{logGroupName:.logGroup}"
		69 |         }
		70 |       }
		71 |     }
		72 |   }
		73 | 
		74 |   tags = var.tags
		75 | }

Check: CKV_AWS_240: "Ensure Kinesis Firehose delivery stream is encrypted"
	FAILED for resource: aws_kinesis_firehose_delivery_stream.firehose-to-s3
	File: /main.tf:39-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehoses-delivery-stream-is-encrypted

		39 | resource "aws_kinesis_firehose_delivery_stream" "firehose-to-s3" {
		40 |   destination = "extended_s3"
		41 |   name        = "cloudwatch-to-s3-${random_id.name.hex}"
		42 | 
		43 |   extended_s3_configuration {
		44 |     bucket_arn = var.destination_bucket_arn
		45 |     role_arn   = aws_iam_role.firehose-to-s3.arn
		46 | 
		47 |     prefix              = "logs/!{partitionKeyFromQuery:logGroupName}/"
		48 |     error_output_prefix = "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/"
		49 | 
		50 |     buffer_size     = 64
		51 |     buffer_interval = 60
		52 | 
		53 |     dynamic_partitioning_configuration {
		54 |       enabled = true
		55 |     }
		56 | 
		57 |     processing_configuration {
		58 |       enabled = true
		59 | 
		60 |       processors {
		61 |         type = "MetadataExtraction"
		62 |         parameters {
		63 |           parameter_name  = "JsonParsingEngine"
		64 |           parameter_value = "JQ"
		65 |         }
		66 |         parameters {
		67 |           parameter_name  = "MetadataExtractionQuery"
		68 |           parameter_value = "{logGroupName:.logGroup}"
		69 |         }
		70 |       }
		71 |     }
		72 |   }
		73 | 
		74 |   tags = var.tags
		75 | }


checkov_exitcode=2

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running tflint in terraform/environments/core-logging
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/cloudwatch-firehose
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Trivy in terraform/environments/core-logging
2024-08-16T13:45:18Z	INFO	[db] Need to update DB
2024-08-16T13:45:18Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T13:45:20Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T13:45:20Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T13:45:20Z	INFO	Need to update the built-in policies
2024-08-16T13:45:20Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T13:45:20Z	INFO	[secret] Secret scanning is enabled
2024-08-16T13:45:20Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T13:45:20Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T13:45:23Z	INFO	Number of language-specific files	num=1
2024-08-16T13:45:23Z	INFO	[gomod] Detecting vulnerabilities...
2024-08-16T13:45:23Z	INFO	Detected config files	num=10
trivy_exitcode=0

*****************************

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T13:45:24Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T13:45:24Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T13:45:24Z	INFO	[secret] Secret scanning is enabled
2024-08-16T13:45:24Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T13:45:24Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T13:45:24Z	INFO	Number of language-specific files	num=0
2024-08-16T13:45:24Z	INFO	Detected config files	num=2
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

Running Trivy in terraform/environments/core-logging
2024-08-16T14:47:39Z INFO [db] Need to update DB
2024-08-16T14:47:39Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T14:47:41Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T14:47:41Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T14:47:41Z INFO Need to update the built-in policies
2024-08-16T14:47:41Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T14:47:41Z INFO [secret] Secret scanning is enabled
2024-08-16T14:47:41Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T14:47:41Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T14:47:44Z INFO Number of language-specific files num=1
2024-08-16T14:47:44Z INFO [gomod] Detecting vulnerabilities...
2024-08-16T14:47:44Z INFO Detected config files num=10
trivy_exitcode=0

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T14:47:45Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T14:47:45Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T14:47:45Z INFO [secret] Secret scanning is enabled
2024-08-16T14:47:45Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T14:47:45Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T14:47:45Z INFO Number of language-specific files num=0
2024-08-16T14:47:45Z INFO Detected config files num=3
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Checkov in terraform/environments/core-logging
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-16 14:47:48,268 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-08-16 14:47:48,269 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab519b10a7d28dfa3b77d407725db6b37614a:None (for external modules, the --download-external-modules flag is required)
2024-08-16 14:47:48,269 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 532, Failed checks: 3, Skipped checks: 192

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/cloudwatch-firehose
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 71, Failed checks: 6, Skipped checks: 0

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.firehose-key-policy
	File: /data.tf:73-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		73  | data "aws_iam_policy_document" "firehose-key-policy" {
		74  |   statement {
		75  |     sid    = "KeyAdministration"
		76  |     effect = "Allow"
		77  | 
		78  |     principals {
		79  |       type        = "AWS"
		80  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		81  |     }
		82  | 
		83  |     actions   = ["kms:*"]
		84  |     resources = ["*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     sid    = "AllowFirehose"
		89  |     effect = "Allow"
		90  | 
		91  |     principals {
		92  |       type        = "Service"
		93  |       identifiers = ["firehose.amazonaws.com"]
		94  |     }
		95  | 
		96  |     actions = [
		97  |       "kms:Encrypt",
		98  |       "kms:Decrypt",
		99  |       "kms:ReEncrypt*",
		100 |       "kms:GenerateDataKey*",
		101 |       "kms:DescribeKey"
		102 |     ]
		103 | 
		104 |     resources = ["*"]
		105 | 
		106 |     condition {
		107 |       test     = "StringEquals"
		108 |       variable = "kms:ViaService"
		109 |       values   = ["firehose.amazonaws.com"]
		110 |     }
		111 |   }
		112 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.firehose-key-policy
	File: /data.tf:73-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		73  | data "aws_iam_policy_document" "firehose-key-policy" {
		74  |   statement {
		75  |     sid    = "KeyAdministration"
		76  |     effect = "Allow"
		77  | 
		78  |     principals {
		79  |       type        = "AWS"
		80  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		81  |     }
		82  | 
		83  |     actions   = ["kms:*"]
		84  |     resources = ["*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     sid    = "AllowFirehose"
		89  |     effect = "Allow"
		90  | 
		91  |     principals {
		92  |       type        = "Service"
		93  |       identifiers = ["firehose.amazonaws.com"]
		94  |     }
		95  | 
		96  |     actions = [
		97  |       "kms:Encrypt",
		98  |       "kms:Decrypt",
		99  |       "kms:ReEncrypt*",
		100 |       "kms:GenerateDataKey*",
		101 |       "kms:DescribeKey"
		102 |     ]
		103 | 
		104 |     resources = ["*"]
		105 | 
		106 |     condition {
		107 |       test     = "StringEquals"
		108 |       variable = "kms:ViaService"
		109 |       values   = ["firehose.amazonaws.com"]
		110 |     }
		111 |   }
		112 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.firehose-key-policy
	File: /data.tf:73-112
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		73  | data "aws_iam_policy_document" "firehose-key-policy" {
		74  |   statement {
		75  |     sid    = "KeyAdministration"
		76  |     effect = "Allow"
		77  | 
		78  |     principals {
		79  |       type        = "AWS"
		80  |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		81  |     }
		82  | 
		83  |     actions   = ["kms:*"]
		84  |     resources = ["*"]
		85  |   }
		86  | 
		87  |   statement {
		88  |     sid    = "AllowFirehose"
		89  |     effect = "Allow"
		90  | 
		91  |     principals {
		92  |       type        = "Service"
		93  |       identifiers = ["firehose.amazonaws.com"]
		94  |     }
		95  | 
		96  |     actions = [
		97  |       "kms:Encrypt",
		98  |       "kms:Decrypt",
		99  |       "kms:ReEncrypt*",
		100 |       "kms:GenerateDataKey*",
		101 |       "kms:DescribeKey"
		102 |     ]
		103 | 
		104 |     resources = ["*"]
		105 | 
		106 |     condition {
		107 |       test     = "StringEquals"
		108 |       variable = "kms:ViaService"
		109 |       values   = ["firehose.amazonaws.com"]
		110 |     }
		111 |   }
		112 | }

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.firehose
	File: /main.tf:5-10
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		5  | resource "aws_kms_key" "firehose" {
		6  |   description             = "KMS key for Firehose delivery streams"
		7  |   deletion_window_in_days = 7
		8  |   policy                  = data.aws_iam_policy_document.firehose-key-policy.json
		9  |   tags                    = var.tags
		10 | }

Check: CKV_AWS_241: "Ensure that Kinesis Firehose Delivery Streams are encrypted with CMK"
	FAILED for resource: aws_kinesis_firehose_delivery_stream.firehose-to-s3
	File: /main.tf:51-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehose-delivery-streams-are-encrypted-with-cmk

		51 | resource "aws_kinesis_firehose_delivery_stream" "firehose-to-s3" {
		52 |   destination = "extended_s3"
		53 |   name        = "cloudwatch-to-s3-${random_id.name.hex}"
		54 | 
		55 |   extended_s3_configuration {
		56 |     bucket_arn = var.destination_bucket_arn
		57 |     role_arn   = aws_iam_role.firehose-to-s3.arn
		58 | 
		59 |     prefix              = "logs/!{partitionKeyFromQuery:logGroupName}/"
		60 |     error_output_prefix = "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/"
		61 | 
		62 |     buffer_size     = 64
		63 |     buffer_interval = 60
		64 | 
		65 |     dynamic_partitioning_configuration {
		66 |       enabled = true
		67 |     }
		68 | 
		69 |     processing_configuration {
		70 |       enabled = true
		71 | 
		72 |       processors {
		73 |         type = "MetadataExtraction"
		74 |         parameters {
		75 |           parameter_name  = "JsonParsingEngine"
		76 |           parameter_value = "JQ"
		77 |         }
		78 |         parameters {
		79 |           parameter_name  = "MetadataExtractionQuery"
		80 |           parameter_value = "{logGroupName:.logGroup}"
		81 |         }
		82 |       }
		83 |     }
		84 | 
		85 |     kms_key_arn = aws_kms_key.firehose.arn
		86 | 
		87 |   }
		88 | 
		89 |   tags = var.tags
		90 | }

Check: CKV_AWS_240: "Ensure Kinesis Firehose delivery stream is encrypted"
	FAILED for resource: aws_kinesis_firehose_delivery_stream.firehose-to-s3
	File: /main.tf:51-90
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-aws-kinesis-firehoses-delivery-stream-is-encrypted

		51 | resource "aws_kinesis_firehose_delivery_stream" "firehose-to-s3" {
		52 |   destination = "extended_s3"
		53 |   name        = "cloudwatch-to-s3-${random_id.name.hex}"
		54 | 
		55 |   extended_s3_configuration {
		56 |     bucket_arn = var.destination_bucket_arn
		57 |     role_arn   = aws_iam_role.firehose-to-s3.arn
		58 | 
		59 |     prefix              = "logs/!{partitionKeyFromQuery:logGroupName}/"
		60 |     error_output_prefix = "errors/!{firehose:error-output-type}/!{timestamp:yyyy/MM/dd}/"
		61 | 
		62 |     buffer_size     = 64
		63 |     buffer_interval = 60
		64 | 
		65 |     dynamic_partitioning_configuration {
		66 |       enabled = true
		67 |     }
		68 | 
		69 |     processing_configuration {
		70 |       enabled = true
		71 | 
		72 |       processors {
		73 |         type = "MetadataExtraction"
		74 |         parameters {
		75 |           parameter_name  = "JsonParsingEngine"
		76 |           parameter_value = "JQ"
		77 |         }
		78 |         parameters {
		79 |           parameter_name  = "MetadataExtractionQuery"
		80 |           parameter_value = "{logGroupName:.logGroup}"
		81 |         }
		82 |       }
		83 |     }
		84 | 
		85 |     kms_key_arn = aws_kms_key.firehose.arn
		86 | 
		87 |   }
		88 | 
		89 |   tags = var.tags
		90 | }


checkov_exitcode=2

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running tflint in terraform/environments/core-logging
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/cloudwatch-firehose
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Trivy in terraform/environments/core-logging
2024-08-16T14:47:39Z	INFO	[db] Need to update DB
2024-08-16T14:47:39Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T14:47:41Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T14:47:41Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T14:47:41Z	INFO	Need to update the built-in policies
2024-08-16T14:47:41Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T14:47:41Z	INFO	[secret] Secret scanning is enabled
2024-08-16T14:47:41Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T14:47:41Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T14:47:44Z	INFO	Number of language-specific files	num=1
2024-08-16T14:47:44Z	INFO	[gomod] Detecting vulnerabilities...
2024-08-16T14:47:44Z	INFO	Detected config files	num=10
trivy_exitcode=0

*****************************

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T14:47:45Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T14:47:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T14:47:45Z	INFO	[secret] Secret scanning is enabled
2024-08-16T14:47:45Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T14:47:45Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T14:47:45Z	INFO	Number of language-specific files	num=0
2024-08-16T14:47:45Z	INFO	Detected config files	num=3
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

Running Trivy in terraform/environments/core-logging
2024-08-16T15:06:20Z INFO [db] Need to update DB
2024-08-16T15:06:20Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T15:06:22Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T15:06:22Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T15:06:22Z INFO Need to update the built-in policies
2024-08-16T15:06:22Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T15:06:22Z INFO [secret] Secret scanning is enabled
2024-08-16T15:06:22Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T15:06:22Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T15:06:24Z INFO Number of language-specific files num=1
2024-08-16T15:06:24Z INFO [gomod] Detecting vulnerabilities...
2024-08-16T15:06:24Z INFO Detected config files num=10
trivy_exitcode=0

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T15:06:25Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T15:06:25Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T15:06:25Z INFO [secret] Secret scanning is enabled
2024-08-16T15:06:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T15:06:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T15:06:25Z INFO Number of language-specific files num=0
2024-08-16T15:06:25Z INFO Detected config files num=3
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Checkov in terraform/environments/core-logging
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-16 15:06:28,103 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-08-16 15:06:28,103 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab519b10a7d28dfa3b77d407725db6b37614a:None (for external modules, the --download-external-modules flag is required)
2024-08-16 15:06:28,104 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 532, Failed checks: 3, Skipped checks: 192

Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }

Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-16-enable-versioning

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.logging
	File: /cortex.tf:72-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		72 | resource "aws_s3_bucket" "logging" {
		73 |   #  checkov:skip:CKV_AWS_18: Access logs not presently required
		74 |   #  checkov:skip:CKV_AWS_21: Versioning of log objects not required
		75 |   #  checkov:skip:CKV_AWS_144:Replication of log objects not required
		76 |   bucket_prefix = terraform.workspace
		77 |   tags          = local.tags
		78 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/cloudwatch-firehose
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 73, Failed checks: 0, Skipped checks: 4


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running tflint in terraform/environments/core-logging
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/cloudwatch-firehose
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Trivy in terraform/environments/core-logging
2024-08-16T15:06:20Z	INFO	[db] Need to update DB
2024-08-16T15:06:20Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T15:06:22Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T15:06:22Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T15:06:22Z	INFO	Need to update the built-in policies
2024-08-16T15:06:22Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T15:06:22Z	INFO	[secret] Secret scanning is enabled
2024-08-16T15:06:22Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T15:06:22Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T15:06:24Z	INFO	Number of language-specific files	num=1
2024-08-16T15:06:24Z	INFO	[gomod] Detecting vulnerabilities...
2024-08-16T15:06:24Z	INFO	Detected config files	num=10
trivy_exitcode=0

*****************************

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T15:06:25Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T15:06:25Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T15:06:25Z	INFO	[secret] Secret scanning is enabled
2024-08-16T15:06:25Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T15:06:25Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T15:06:25Z	INFO	Number of language-specific files	num=0
2024-08-16T15:06:25Z	INFO	Detected config files	num=3
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

Running Trivy in terraform/environments/core-logging
2024-08-16T15:24:22Z INFO [db] Need to update DB
2024-08-16T15:24:22Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T15:24:24Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T15:24:24Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T15:24:24Z INFO Need to update the built-in policies
2024-08-16T15:24:24Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T15:24:25Z INFO [secret] Secret scanning is enabled
2024-08-16T15:24:25Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T15:24:25Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T15:24:27Z INFO Number of language-specific files num=1
2024-08-16T15:24:27Z INFO [gomod] Detecting vulnerabilities...
2024-08-16T15:24:27Z INFO Detected config files num=10
trivy_exitcode=0

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T15:24:28Z INFO [vuln] Vulnerability scanning is enabled
2024-08-16T15:24:28Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-16T15:24:28Z INFO [secret] Secret scanning is enabled
2024-08-16T15:24:28Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T15:24:28Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T15:24:28Z INFO Number of language-specific files num=0
2024-08-16T15:24:28Z INFO Detected config files num=3
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Checkov in terraform/environments/core-logging
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-16 15:24:31,065 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-08-16 15:24:31,065 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab519b10a7d28dfa3b77d407725db6b37614a:None (for external modules, the --download-external-modules flag is required)
2024-08-16 15:24:31,065 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 532, Failed checks: 0, Skipped checks: 195


checkov_exitcode=0

*****************************

Running Checkov in terraform/modules/cloudwatch-firehose
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 73, Failed checks: 0, Skipped checks: 4


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running tflint in terraform/environments/core-logging
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/cloudwatch-firehose
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/core-logging
terraform/modules/cloudwatch-firehose

*****************************

Running Trivy in terraform/environments/core-logging
2024-08-16T15:24:22Z	INFO	[db] Need to update DB
2024-08-16T15:24:22Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-16T15:24:24Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T15:24:24Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T15:24:24Z	INFO	Need to update the built-in policies
2024-08-16T15:24:24Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-16T15:24:25Z	INFO	[secret] Secret scanning is enabled
2024-08-16T15:24:25Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T15:24:25Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T15:24:27Z	INFO	Number of language-specific files	num=1
2024-08-16T15:24:27Z	INFO	[gomod] Detecting vulnerabilities...
2024-08-16T15:24:27Z	INFO	Detected config files	num=10
trivy_exitcode=0

*****************************

Running Trivy in terraform/modules/cloudwatch-firehose
2024-08-16T15:24:28Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-16T15:24:28Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-16T15:24:28Z	INFO	[secret] Secret scanning is enabled
2024-08-16T15:24:28Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-16T15:24:28Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-16T15:24:28Z	INFO	Number of language-specific files	num=0
2024-08-16T15:24:28Z	INFO	Detected config files	num=3
trivy_exitcode=0

@dms1981 dms1981 marked this pull request as ready for review August 16, 2024 15:27
@dms1981 dms1981 requested a review from a team as a code owner August 16, 2024 15:27
richgreen-moj
richgreen-moj approved these changes Aug 16, 2024
View reviewed changes
Copy link
Contributor

@richgreen-moj richgreen-moj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dms1981 dms1981 added this pull request to the merge queue Aug 19, 2024
Merged via the queue into main with commit 3f6c6dc Aug 19, 2024
5 checks passed
@dms1981 dms1981 deleted the feature/7607-add-xsiam-bucket-to-core-logging branch August 19, 2024 07:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richgreen-moj richgreen-moj richgreen-moj approved these changes

Assignees
No one assigned
Labels
core
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dms1981 @richgreen-moj