Experience Builder


Terraform

< Back

Repository
alphagov / govuk-infrastructure
Description

Terraform turnup automation for the EKS Kubernetes clusters that host GOV.UK. See https://github.com/alphagov/govuk-helm-charts for application config.

Stars

 107

Failed Checks
  •  Security Scanning

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 15:04:25,444 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-eks-role:~>5.27 (for external modules, the --download-external-modules flag is required)
    2023-10-05 15:04:25,444 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~>5.5 (for external modules, the --download-external-modules flag is required)
    2023-10-05 15:04:25,444 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc:~>4.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 15:04:25,445 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:~>19.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 15:04:25,445 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/rds-aurora/aws:~>7.6.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 15:04:25,445 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:~>5.20 (for external modules, the --download-external-modules flag is required)
    2023-10-05 15:04:25,445 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-eks-role:~>5.28 (for external modules, the --download-external-modules flag is required)
    terraform scan results:
    
    Passed checks: 497, Failed checks: 91, Skipped checks: 0
    
    Check: CKV_AWS_192: "Ensure WAF prevents message lookup in Log4j2. See CVE-2021-44228 aka log4jshell"
    	FAILED for resource: aws_wafv2_web_acl.cdn_poc_govuk
    	File: /terraform/deployments/cloudfront/main.tf:177-317
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-waf-prevents-message-lookup-in-log4j2.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy.aws_ebs_csi_driver
    	File: /terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf:16-169
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy.aws_ebs_csi_driver
    	File: /terraform/deployments/cluster-infrastructure/aws_ebs_csi_iam.tf:16-169
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy.aws_lb_controller
    	File: /terraform/deployments/cluster-infrastructure/aws_lb_controller_iam.tf:23-249
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy.aws_lb_controller
    	File: /terraform/deployments/cluster-infrastructure/aws_lb_controller_iam.tf:23-249
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_184: "Ensure resource is encrypted by KMS using a customer managed Key (CMK)"
    	FAILED for resource: aws_efs_file_system.clamav-db
    	File: /terraform/deployments/cluster-infrastructure/clamav_db_efs.tf:5-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-104.html
    
    		5 | resource "aws_efs_file_system" "clamav-db" {
    		6 |   creation_token = local.clamav_db_name
    		7 |   tags           = { "Description" = "EFS where Clamav virus signature database is stored" }
    		8 | }
    
    Check: CKV_AWS_42: "Ensure EFS is securely encrypted"
    	FAILED for resource: aws_efs_file_system.clamav-db
    	File: /terraform/deployments/cluster-infrastructure/clamav_db_efs.tf:5-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-17.html
    
    		5 | resource "aws_efs_file_system" "clamav-db" {
    		6 |   creation_token = local.clamav_db_name
    		7 |   tags           = { "Description" = "EFS where Clamav virus signature database is stored" }
    		8 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.cluster_autoscaler
    	File: /terraform/deployments/cluster-infrastructure/cluster_autoscaler_iam.tf:46-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		46 | data "aws_iam_policy_document" "cluster_autoscaler" {
    		47 |   statement {
    		48 |     sid    = "clusterAutoscalerAll"
    		49 |     effect = "Allow"
    		50 | 
    		51 |     actions = [
    		52 |       "autoscaling:DescribeAutoScalingGroups",
    		53 |       "autoscaling:DescribeAutoScalingInstances",
    		54 |       "autoscaling:DescribeLaunchConfigurations",
    		55 |       "autoscaling:DescribeTags",
    		56 |       "ec2:DescribeLaunchTemplateVersions",
    		57 |       "autoscaling:SetDesiredCapacity",
    		58 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
    		59 |       "autoscaling:UpdateAutoScalingGroup",
    		60 |       "ec2:DescribeInstanceTypes",
    		61 |       "eks:DescribeNodegroup"
    		62 |     ]
    		63 | 
    		64 |     resources = ["*"]
    		65 |   }
    		66 | 
    		67 |   statement {
    		68 |     sid    = "clusterAutoscalerOwn"
    		69 |     effect = "Allow"
    		70 | 
    		71 |     actions = [
    		72 |       "autoscaling:SetDesiredCapacity",
    		73 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
    		74 |       "autoscaling:UpdateAutoScalingGroup",
    		75 |     ]
    		76 | 
    		77 |     resources = ["*"]
    		78 | 
    		79 |     condition {
    		80 |       test     = "StringEquals"
    		81 |       variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/${module.eks.cluster_name}"
    		82 |       values   = ["owned"]
    		83 |     }
    		84 | 
    		85 |     condition {
    		86 |       test     = "StringEquals"
    		87 |       variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
    		88 |       values   = ["true"]
    		89 |     }
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.cluster_autoscaler
    	File: /terraform/deployments/cluster-infrastructure/cluster_autoscaler_iam.tf:46-91
    
    		46 | data "aws_iam_policy_document" "cluster_autoscaler" {
    		47 |   statement {
    		48 |     sid    = "clusterAutoscalerAll"
    		49 |     effect = "Allow"
    		50 | 
    		51 |     actions = [
    		52 |       "autoscaling:DescribeAutoScalingGroups",
    		53 |       "autoscaling:DescribeAutoScalingInstances",
    		54 |       "autoscaling:DescribeLaunchConfigurations",
    		55 |       "autoscaling:DescribeTags",
    		56 |       "ec2:DescribeLaunchTemplateVersions",
    		57 |       "autoscaling:SetDesiredCapacity",
    		58 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
    		59 |       "autoscaling:UpdateAutoScalingGroup",
    		60 |       "ec2:DescribeInstanceTypes",
    		61 |       "eks:DescribeNodegroup"
    		62 |     ]
    		63 | 
    		64 |     resources = ["*"]
    		65 |   }
    		66 | 
    		67 |   statement {
    		68 |     sid    = "clusterAutoscalerOwn"
    		69 |     effect = "Allow"
    		70 | 
    		71 |     actions = [
    		72 |       "autoscaling:SetDesiredCapacity",
    		73 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
    		74 |       "autoscaling:UpdateAutoScalingGroup",
    		75 |     ]
    		76 | 
    		77 |     resources = ["*"]
    		78 | 
    		79 |     condition {
    		80 |       test     = "StringEquals"
    		81 |       variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/${module.eks.cluster_name}"
    		82 |       values   = ["owned"]
    		83 |     }
    		84 | 
    		85 |     condition {
    		86 |       test     = "StringEquals"
    		87 |       variable = "autoscaling:ResourceTag/k8s.io/cluster-autoscaler/enabled"
    		88 |       values   = ["true"]
    		89 |     }
    		90 |   }
    		91 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.external_dns
    	File: /terraform/deployments/cluster-infrastructure/external_dns.tf:32-46
    
    		32 | data "aws_iam_policy_document" "external_dns" {
    		33 |   statement {
    		34 |     effect    = "Allow"
    		35 |     actions   = ["route53:ChangeResourceRecordSets"]
    		36 |     resources = [aws_route53_zone.cluster_public.arn]
    		37 |   }
    		38 |   statement {
    		39 |     effect = "Allow"
    		40 |     actions = [
    		41 |       "route53:ListHostedZones",
    		42 |       "route53:ListResourceRecordSets",
    		43 |     ]
    		44 |     resources = ["*"]
    		45 |   }
    		46 | }
    
    Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy.grafana
    	File: /terraform/deployments/cluster-infrastructure/grafana.tf:17-66
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
    	FAILED for resource: aws_secretsmanager_secret.grafana_db
    	File: /terraform/deployments/cluster-infrastructure/grafana.tf:129-132
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms.html
    
    		129 | resource "aws_secretsmanager_secret" "grafana_db" {
    		130 |   name                    = "${module.eks.cluster_name}/grafana/database"
    		131 |   recovery_window_in_days = var.secrets_recovery_window_in_days
    		132 | }
    
    Check: CKV_AWS_130: "Ensure VPC subnets do not assign public IP by default"
    	FAILED for resource: aws_subnet.eks_public
    	File: /terraform/deployments/cluster-infrastructure/vpc.tf:67-79
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-vpc-subnets-do-not-assign-public-ip-by-default.html
    
    		67 | resource "aws_subnet" "eks_public" {
    		68 |   for_each          = var.eks_public_subnets
    		69 |   vpc_id            = data.terraform_remote_state.infra_vpc.outputs.vpc_id
    		70 |   cidr_block        = each.value.cidr
    		71 |   availability_zone = each.value.az
    		72 |   tags = {
    		73 |     Name = "${var.cluster_name}-eks-public-${each.key}"
    		74 |     # https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html
    		75 |     "kubernetes.io/cluster/${var.cluster_name}" = "owned"
    		76 |     "kubernetes.io/role/elb"                    = "1"
    		77 |   }
    		78 |   map_public_ip_on_launch = true
    		79 | }
    
    Check: CKV_K8S_49: "Minimize wildcard use in Roles and ClusterRoles"
    	FAILED for resource: kubernetes_cluster_role.poweruser
    	File: /terraform/deployments/cluster-services/aws_auth_configmap.tf:129-138
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-minimized-wildcard-use-in-roles-and-clusterroles.html
    
    		129 | resource "kubernetes_cluster_role" "poweruser" {
    		130 |   metadata {
    		131 |     name = "poweruser"
    		132 |   }
    		133 |   rule {
    		134 |     api_groups = ["*"]
    		135 |     resources  = ["*"]
    		136 |     verbs      = ["*"]
    		137 |   }
    		138 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_vpc_security_group_ingress_rule.rds
    	File: /terraform/deployments/datagovuk-infrastructure/security.tf:7-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		7  | resource "aws_vpc_security_group_ingress_rule" "rds" {
    		8  |   security_group_id = aws_security_group.rds.id
    		9  | 
    		10 |   from_port   = 5432
    		11 |   to_port     = 5432
    		12 |   ip_protocol = "tcp"
    		13 | 
    		14 |   referenced_security_group_id = data.terraform_remote_state.cluster_infrastructure.outputs.node_security_group_id
    		15 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.topic-policy-ecr-sns
    	File: /terraform/deployments/ecr/data.tf:1-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		1  | data "aws_iam_policy_document" "topic-policy-ecr-sns" {
    		2  | 
    		3  |   policy_id = "ecr_scan_id"
    		4  | 
    		5  |   statement {
    		6  |     actions = [
    		7  |       "SNS:GetTopicAttributes",
    		8  |       "SNS:SetTopicAttributes",
    		9  |       "SNS:AddPermission",
    		10 |       "SNS:RemovePermission",
    		11 |       "SNS:DeleteTopic",
    		12 |       "SNS:Subscribe",
    		13 |       "SNS:ListSubscriptionsByTopic",
    		14 |       "SNS:Publish",
    		15 |       "SNS:Receive"
    		16 |     ]
    		17 | 
    		18 |     condition {
    		19 |       test     = "StringEquals"
    		20 |       variable = "AWS:SourceOwner"
    		21 | 
    		22 |       values = [data.aws_caller_identity.current.account_id]
    		23 |     }
    		24 |     effect = "Allow"
    		25 | 
    		26 |     principals {
    		27 |       type        = "AWS"
    		28 |       identifiers = ["*"]
    		29 |     }
    		30 | 
    		31 |     resources = ["*"]
    		32 |   }
    		33 | 
    		34 |   statement {
    		35 |     actions = ["sns:Publish"]
    		36 |     effect  = "Allow"
    		37 | 
    		38 |     principals {
    		39 |       type        = "Service"
    		40 |       identifiers = ["events.amazonaws.com"]
    		41 |     }
    		42 | 
    		43 |     resources = ["*"]
    		44 |     sid       = "TrustCWEToPublishEventsToMyTopic"
    		45 |   }
    		46 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.topic-policy-ecr-sns
    	File: /terraform/deployments/ecr/data.tf:1-46
    
    		1  | data "aws_iam_policy_document" "topic-policy-ecr-sns" {
    		2  | 
    		3  |   policy_id = "ecr_scan_id"
    		4  | 
    		5  |   statement {
    		6  |     actions = [
    		7  |       "SNS:GetTopicAttributes",
    		8  |       "SNS:SetTopicAttributes",
    		9  |       "SNS:AddPermission",
    		10 |       "SNS:RemovePermission",
    		11 |       "SNS:DeleteTopic",
    		12 |       "SNS:Subscribe",
    		13 |       "SNS:ListSubscriptionsByTopic",
    		14 |       "SNS:Publish",
    		15 |       "SNS:Receive"
    		16 |     ]
    		17 | 
    		18 |     condition {
    		19 |       test     = "StringEquals"
    		20 |       variable = "AWS:SourceOwner"
    		21 | 
    		22 |       values = [data.aws_caller_identity.current.account_id]
    		23 |     }
    		24 |     effect = "Allow"
    		25 | 
    		26 |     principals {
    		27 |       type        = "AWS"
    		28 |       identifiers = ["*"]
    		29 |     }
    		30 | 
    		31 |     resources = ["*"]
    		32 |   }
    		33 | 
    		34 |   statement {
    		35 |     actions = ["sns:Publish"]
    		36 |     effect  = "Allow"
    		37 | 
    		38 |     principals {
    		39 |       type        = "Service"
    		40 |       identifiers = ["events.amazonaws.com"]
    		41 |     }
    		42 | 
    		43 |     resources = ["*"]
    		44 |     sid       = "TrustCWEToPublishEventsToMyTopic"
    		45 |   }
    		46 | }
    
    Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
    	FAILED for resource: aws_sns_topic.ecr_scan_topic
    	File: /terraform/deployments/ecr/ecr-scan.tf:21-26
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
    
    		21 | resource "aws_sns_topic" "ecr_scan_topic" {
    		22 |   name = "ecr_scan_topic"
    		23 |   tags = {
    		24 |     Name = "ECR-Scan"
    		25 |   }
    		26 | }
    
    Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
    	FAILED for resource: aws_ecr_repository.repositories
    	File: /terraform/deployments/ecr/main.tf:53-61
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-24.html
    
    		53 | resource "aws_ecr_repository" "repositories" {
    		54 |   for_each             = toset(local.repositories)
    		55 |   name                 = each.key
    		56 |   image_tag_mutability = "MUTABLE" # TODO: consider not allowing mutable tags.
    		57 | 
    		58 |   image_scanning_configuration {
    		59 |     scan_on_push = true
    		60 |   }
    		61 | }
    
    Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
    	FAILED for resource: aws_ecr_repository.repositories
    	File: /terraform/deployments/ecr/main.tf:53-61
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted.html
    
    		53 | resource "aws_ecr_repository" "repositories" {
    		54 |   for_each             = toset(local.repositories)
    		55 |   name                 = each.key
    		56 |   image_tag_mutability = "MUTABLE" # TODO: consider not allowing mutable tags.
    		57 | 
    		58 |   image_scanning_configuration {
    		59 |     scan_on_push = true
    		60 |   }
    		61 | }
    
    Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
    	FAILED for resource: aws_iam_user.concourse_ecr_user
    	File: /terraform/deployments/ecr/main.tf:63-65
    
    		63 | resource "aws_iam_user" "concourse_ecr_user" {
    		64 |   name = "concourse_ecr_user"
    		65 | }
    
    Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
    	FAILED for resource: aws_iam_user.github_ecr_user
    	File: /terraform/deployments/ecr/main.tf:67-70
    
    		67 | resource "aws_iam_user" "github_ecr_user" {
    		68 |   name = "github_ecr_user"
    		69 |   tags = { "Description" = "GitHub Actions publishes images to ECR." }
    		70 | }
    
    Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy.pull_from_ecr
    	File: /terraform/deployments/ecr/main.tf:159-184
    
    		159 | resource "aws_iam_policy" "pull_from_ecr" {
    		160 |   name = "pull_from_ecr"
    		161 |   policy = jsonencode({
    		162 |     "Version" : "2012-10-17",
    		163 |     "Statement" : [
    		164 |       {
    		165 |         "Sid" : "AllowECRPull",
    		166 |         "Effect" : "Allow",
    		167 |         "Resource" : ["*"],
    		168 |         "Action" : [
    		169 |           "ecr:GetDownloadUrlForLayer",
    		170 |           "ecr:BatchCheckLayerAvailability",
    		171 |           "ecr:BatchGetImage",
    		172 |           "ecr:List*",
    		173 |           "ecr:Describe*"
    		174 |         ]
    		175 |       },
    		176 |       {
    		177 |         "Sid" : "AllowECRToken",
    		178 |         "Effect" : "Allow",
    		179 |         "Resource" : ["*"],
    		180 |         "Action" : ["ecr:GetAuthorizationToken"]
    		181 |       }
    		182 |     ]
    		183 |   })
    		184 | }
    
    Check: CKV_AWS_40: "Ensure IAM policies are attached only to groups or roles (Reducing access management complexity may in-turn reduce opportunity for a principal to inadvertently receive or retain excessive privileges.)"
    	FAILED for resource: aws_iam_user_policy.github_ecr_user_policy
    	File: /terraform/deployments/ecr/main.tf:186-210
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-16-iam-policy-privileges-1.html
    
    		186 | resource "aws_iam_user_policy" "github_ecr_user_policy" {
    		187 |   name = "github_ecr_user_policy"
    		188 |   user = aws_iam_user.github_ecr_user.name
    		189 |   policy = jsonencode({
    		190 |     "Version" : "2012-10-17",
    		191 |     "Statement" : [
    		192 |       {
    		193 |         "Sid" : "AllowPush",
    		194 |         "Effect" : "Allow",
    		195 |         "Action" : [
    		196 |           "ecr:GetDownloadUrlForLayer",
    		197 |           "ecr:BatchGetImage",
    		198 |           "ecr:BatchCheckLayerAvailability",
    		199 |           "ecr:DescribeImages",
    		200 |           "ecr:PutImage",
    		201 |           "ecr:InitiateLayerUpload",
    		202 |           "ecr:UploadLayerPart",
    		203 |           "ecr:GetAuthorizationToken",
    		204 |           "ecr:CompleteLayerUpload"
    		205 |         ],
    		206 |         "Resource" : ["*"],
    		207 |       }
    		208 |     ]
    		209 |   })
    		210 | }
    
    Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_user_policy.github_ecr_user_policy
    	File: /terraform/deployments/ecr/main.tf:186-210
    
    		186 | resource "aws_iam_user_policy" "github_ecr_user_policy" {
    		187 |   name = "github_ecr_user_policy"
    		188 |   user = aws_iam_user.github_ecr_user.name
    		189 |   policy = jsonencode({
    		190 |     "Version" : "2012-10-17",
    		191 |     "Statement" : [
    		192 |       {
    		193 |         "Sid" : "AllowPush",
    		194 |         "Effect" : "Allow",
    		195 |         "Action" : [
    		196 |           "ecr:GetDownloadUrlForLayer",
    		197 |           "ecr:BatchGetImage",
    		198 |           "ecr:BatchCheckLayerAvailability",
    		199 |           "ecr:DescribeImages",
    		200 |           "ecr:PutImage",
    		201 |           "ecr:InitiateLayerUpload",
    		202 |           "ecr:UploadLayerPart",
    		203 |           "ecr:GetAuthorizationToken",
    		204 |           "ecr:CompleteLayerUpload"
    		205 |         ],
    		206 |         "Resource" : ["*"],
    		207 |       }
    		208 |     ]
    		209 |   })
    		210 | }
    
    Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_user_policy.github_ecr_user_policy
    	File: /terraform/deployments/ecr/main.tf:186-210
    
    		186 | resource "aws_iam_user_policy" "github_ecr_user_policy" {
    		187 |   name = "github_ecr_user_policy"
    		188 |   user = aws_iam_user.github_ecr_user.name
    		189 |   policy = jsonencode({
    		190 |     "Version" : "2012-10-17",
    		191 |     "Statement" : [
    		192 |       {
    		193 |         "Sid" : "AllowPush",
    		194 |         "Effect" : "Allow",
    		195 |         "Action" : [
    		196 |           "ecr:GetDownloadUrlForLayer",
    		197 |           "ecr:BatchGetImage",
    		198 |           "ecr:BatchCheckLayerAvailability",
    		199 |           "ecr:DescribeImages",
    		200 |           "ecr:PutImage",
    		201 |           "ecr:InitiateLayerUpload",
    		202 |           "ecr:UploadLayerPart",
    		203 |           "ecr:GetAuthorizationToken",
    		204 |           "ecr:CompleteLayerUpload"
    		205 |         ],
    		206 |         "Resource" : ["*"],
    		207 |       }
    		208 |     ]
    		209 |   })
    		210 | }
    
    Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_role_policy.github_action_mirror_repos_policy
    	File: /terraform/deployments/github/mirror.tf:34-50
    
    		34 | resource "aws_iam_role_policy" "github_action_mirror_repos_policy" {
    		35 |   name = "github_action_mirror_repos_policy"
    		36 |   role = aws_iam_role.github_action_mirror_repos_role.id
    		37 | 
    		38 |   policy = jsonencode({
    		39 |     Version = "2012-10-17"
    		40 |     Statement = [
    		41 |       {
    		42 |         Action = [
    		43 |           "codecommit:GitPush"
    		44 |         ]
    		45 |         Effect   = "Allow"
    		46 |         Resource = "*"
    		47 |       },
    		48 |     ]
    		49 |   })
    		50 | }
    
    Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_role_policy.github_action_mirror_repos_policy
    	File: /terraform/deployments/github/mirror.tf:34-50
    
    		34 | resource "aws_iam_role_policy" "github_action_mirror_repos_policy" {
    		35 |   name = "github_action_mirror_repos_policy"
    		36 |   role = aws_iam_role.github_action_mirror_repos_role.id
    		37 | 
    		38 |   policy = jsonencode({
    		39 |     Version = "2012-10-17"
    		40 |     Statement = [
    		41 |       {
    		42 |         Action = [
    		43 |           "codecommit:GitPush"
    		44 |         ]
    		45 |         Effect   = "Allow"
    		46 |         Resource = "*"
    		47 |       },
    		48 |     ]
    		49 |   })
    		50 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.learn_to_rank_job
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_api_learn_to_rank_role.tf:21-74
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.learn_to_rank_job
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_api_learn_to_rank_role.tf:21-74
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.learn_to_rank_sagemaker
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_api_learn_to_rank_role.tf:87-122
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		87  | data "aws_iam_policy_document" "learn_to_rank_sagemaker" {
    		88  |   statement {
    		89  |     actions = [
    		90  |       "s3:Put*",
    		91  |       "s3:List*",
    		92  |       "s3:Get*",
    		93  |       "s3:DeleteObject"
    		94  |     ]
    		95  |     resources = [
    		96  |       "arn:aws:s3:::govuk-${var.govuk_environment}-search-relevancy/*",
    		97  |       "arn:aws:s3:::govuk-${var.govuk_environment}-search-relevancy"
    		98  |     ]
    		99  |   }
    		100 | 
    		101 |   statement {
    		102 |     actions = [
    		103 |       "logs:PutLogEvents",
    		104 |       "logs:GetLogEvents",
    		105 |       "logs:DescribeLogStreams",
    		106 |       "logs:CreateLogStream",
    		107 |       "logs:CreateLogGroup",
    		108 |       "ecr:GetAuthorizationToken",
    		109 |       "cloudwatch:PutMetricData"
    		110 |     ]
    		111 |     resources = ["*"]
    		112 |   }
    		113 | 
    		114 |   statement {
    		115 |     actions = [
    		116 |       "ecr:BatchCheckLayerAvailability",
    		117 |       "ecr:GetDownloadUrlForLayer",
    		118 |       "ecr:BatchGetImage"
    		119 |     ]
    		120 |     resources = ["arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/search"]
    		121 |   }
    		122 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.learn_to_rank_sagemaker
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_api_learn_to_rank_role.tf:87-122
    
    		87  | data "aws_iam_policy_document" "learn_to_rank_sagemaker" {
    		88  |   statement {
    		89  |     actions = [
    		90  |       "s3:Put*",
    		91  |       "s3:List*",
    		92  |       "s3:Get*",
    		93  |       "s3:DeleteObject"
    		94  |     ]
    		95  |     resources = [
    		96  |       "arn:aws:s3:::govuk-${var.govuk_environment}-search-relevancy/*",
    		97  |       "arn:aws:s3:::govuk-${var.govuk_environment}-search-relevancy"
    		98  |     ]
    		99  |   }
    		100 | 
    		101 |   statement {
    		102 |     actions = [
    		103 |       "logs:PutLogEvents",
    		104 |       "logs:GetLogEvents",
    		105 |       "logs:DescribeLogStreams",
    		106 |       "logs:CreateLogStream",
    		107 |       "logs:CreateLogGroup",
    		108 |       "ecr:GetAuthorizationToken",
    		109 |       "cloudwatch:PutMetricData"
    		110 |     ]
    		111 |     resources = ["*"]
    		112 |   }
    		113 | 
    		114 |   statement {
    		115 |     actions = [
    		116 |       "ecr:BatchCheckLayerAvailability",
    		117 |       "ecr:GetDownloadUrlForLayer",
    		118 |       "ecr:BatchGetImage"
    		119 |     ]
    		120 |     resources = ["arn:aws:ecr:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:repository/search"]
    		121 |   }
    		122 | }
    
    Check: CKV_AWS_191: "Ensure Elasticache replication group is encrypted by KMS using a customer managed Key (CMK)"
    	FAILED for resource: aws_elasticache_replication_group.shared_redis_cluster
    	File: /terraform/deployments/govuk-publishing-infrastructure/shared_redis.tf:19-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/bc-aws-general-111.html
    
    		19 | resource "aws_elasticache_replication_group" "shared_redis_cluster" {
    		20 |   apply_immediately          = var.govuk_environment != "production"
    		21 |   replication_group_id       = local.shared_redis_name
    		22 |   description                = "${local.shared_redis_name} Redis cluster with Redis master and replica"
    		23 |   node_type                  = var.shared_redis_cluster_node_type
    		24 |   num_cache_clusters         = 2
    		25 |   automatic_failover_enabled = true
    		26 |   multi_az_enabled           = true
    		27 |   parameter_group_name       = "default.redis6.x"
    		28 |   engine_version             = "6.x"
    		29 |   subnet_group_name          = aws_elasticache_subnet_group.shared_redis_cluster.name
    		30 |   security_group_ids         = [aws_security_group.shared_redis_cluster.id]
    		31 |   tags = {
    		32 |     Name = local.shared_redis_name
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_30: "Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit"
    	FAILED for resource: aws_elasticache_replication_group.shared_redis_cluster
    	File: /terraform/deployments/govuk-publishing-infrastructure/shared_redis.tf:19-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-10.html
    
    		19 | resource "aws_elasticache_replication_group" "shared_redis_cluster" {
    		20 |   apply_immediately          = var.govuk_environment != "production"
    		21 |   replication_group_id       = local.shared_redis_name
    		22 |   description                = "${local.shared_redis_name} Redis cluster with Redis master and replica"
    		23 |   node_type                  = var.shared_redis_cluster_node_type
    		24 |   num_cache_clusters         = 2
    		25 |   automatic_failover_enabled = true
    		26 |   multi_az_enabled           = true
    		27 |   parameter_group_name       = "default.redis6.x"
    		28 |   engine_version             = "6.x"
    		29 |   subnet_group_name          = aws_elasticache_subnet_group.shared_redis_cluster.name
    		30 |   security_group_ids         = [aws_security_group.shared_redis_cluster.id]
    		31 |   tags = {
    		32 |     Name = local.shared_redis_name
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_31: "Ensure all data stored in the Elasticache Replication Group is securely encrypted at transit and has auth token"
    	FAILED for resource: aws_elasticache_replication_group.shared_redis_cluster
    	File: /terraform/deployments/govuk-publishing-infrastructure/shared_redis.tf:19-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-11.html
    
    		19 | resource "aws_elasticache_replication_group" "shared_redis_cluster" {
    		20 |   apply_immediately          = var.govuk_environment != "production"
    		21 |   replication_group_id       = local.shared_redis_name
    		22 |   description                = "${local.shared_redis_name} Redis cluster with Redis master and replica"
    		23 |   node_type                  = var.shared_redis_cluster_node_type
    		24 |   num_cache_clusters         = 2
    		25 |   automatic_failover_enabled = true
    		26 |   multi_az_enabled           = true
    		27 |   parameter_group_name       = "default.redis6.x"
    		28 |   engine_version             = "6.x"
    		29 |   subnet_group_name          = aws_elasticache_subnet_group.shared_redis_cluster.name
    		30 |   security_group_ids         = [aws_security_group.shared_redis_cluster.id]
    		31 |   tags = {
    		32 |     Name = local.shared_redis_name
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_29: "Ensure all data stored in the Elasticache Replication Group is securely encrypted at rest"
    	FAILED for resource: aws_elasticache_replication_group.shared_redis_cluster
    	File: /terraform/deployments/govuk-publishing-infrastructure/shared_redis.tf:19-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-9.html
    
    		19 | resource "aws_elasticache_replication_group" "shared_redis_cluster" {
    		20 |   apply_immediately          = var.govuk_environment != "production"
    		21 |   replication_group_id       = local.shared_redis_name
    		22 |   description                = "${local.shared_redis_name} Redis cluster with Redis master and replica"
    		23 |   node_type                  = var.shared_redis_cluster_node_type
    		24 |   num_cache_clusters         = 2
    		25 |   automatic_failover_enabled = true
    		26 |   multi_az_enabled           = true
    		27 |   parameter_group_name       = "default.redis6.x"
    		28 |   engine_version             = "6.x"
    		29 |   subnet_group_name          = aws_elasticache_subnet_group.shared_redis_cluster.name
    		30 |   security_group_ids         = [aws_security_group.shared_redis_cluster.id]
    		31 |   tags = {
    		32 |     Name = local.shared_redis_name
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_119: "Ensure DynamoDB Tables are encrypted using a KMS Customer Managed CMK"
    	FAILED for resource: aws_dynamodb_table.terraform_state_lock
    	File: /terraform/deployments/terraform-lock/main.tf:17-34
    	Guide: https://docs.bridgecrew.io/docs/ensure-that-dynamodb-tables-are-encrypted
    
    		17 | resource "aws_dynamodb_table" "terraform_state_lock" {
    		18 |   name         = "terraform-lock"
    		19 |   hash_key     = "LockID"
    		20 |   billing_mode = "PAY_PER_REQUEST"
    		21 | 
    		22 |   attribute {
    		23 |     name = "LockID"
    		24 |     type = "S"
    		25 |   }
    		26 | 
    		27 |   tags = {
    		28 |     chargeable_entity    = "terraform-lock"
    		29 |     project              = "replatforming"
    		30 |     repository           = "govuk-infrastructure"
    		31 |     terraform_deployment = "terraform-lock"
    		32 |     terraform_workspace  = terraform.workspace
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_28: "Ensure Dynamodb point in time recovery (backup) is enabled"
    	FAILED for resource: aws_dynamodb_table.terraform_state_lock
    	File: /terraform/deployments/terraform-lock/main.tf:17-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-6.html
    
    		17 | resource "aws_dynamodb_table" "terraform_state_lock" {
    		18 |   name         = "terraform-lock"
    		19 |   hash_key     = "LockID"
    		20 |   billing_mode = "PAY_PER_REQUEST"
    		21 | 
    		22 |   attribute {
    		23 |     name = "LockID"
    		24 |     type = "S"
    		25 |   }
    		26 | 
    		27 |   tags = {
    		28 |     chargeable_entity    = "terraform-lock"
    		29 |     project              = "replatforming"
    		30 |     repository           = "govuk-infrastructure"
    		31 |     terraform_deployment = "terraform-lock"
    		32 |     terraform_workspace  = terraform.workspace
    		33 |   }
    		34 | }
    
    Check: CKV_AWS_286: "Ensure IAM policies does not allow privilege escalation"
    	FAILED for resource: aws_iam_policy.tfc_policy
    	File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_288: "Ensure IAM policies does not allow data exfiltration"
    	FAILED for resource: aws_iam_policy.tfc_policy
    	File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_289: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: aws_iam_policy.tfc_policy
    	File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_287: "Ensure IAM policies does not allow credentials exposure"
    	FAILED for resource: aws_iam_policy.tfc_policy
    	File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy.tfc_policy
    	File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy.tfc_policy
    	File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_31: "Ensure WAF2 has a Logging Configuration"
    	FAILED for resource: aws_wafv2_web_acl.cdn_poc_govuk
    	File: /terraform/deployments/cloudfront/main.tf:177-317
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-33.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.tempo
    	File: /terraform/deployments/cluster-services/tempo.tf:6-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		6 | resource "aws_s3_bucket" "tempo" {
    		7 |   bucket = "govuk-${var.govuk_environment}-tempo"
    		8 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.app_assets
    	File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		1 | resource "aws_s3_bucket" "app_assets" {
    		2 |   bucket        = "govuk-app-assets-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "App static assets for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.location_api_import_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		1 | resource "aws_s3_bucket" "location_api_import_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-locations-api-import-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.publisher_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		1 | resource "aws_s3_bucket" "publisher_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-publisher-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs generated by Publisher in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
    	FAILED for resource: aws_s3_bucket.search_analytics
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled.html
    
    		1 | resource "aws_s3_bucket" "search_analytics" {
    		2 |   bucket        = "govuk-search-analytics-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "Search analytics reports for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.tempo
    	File: /terraform/deployments/cluster-services/tempo.tf:6-8
    
    		6 | resource "aws_s3_bucket" "tempo" {
    		7 |   bucket = "govuk-${var.govuk_environment}-tempo"
    		8 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.app_assets
    	File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
    
    		1 | resource "aws_s3_bucket" "app_assets" {
    		2 |   bucket        = "govuk-app-assets-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "App static assets for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.location_api_import_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
    
    		1 | resource "aws_s3_bucket" "location_api_import_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-locations-api-import-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.publisher_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
    
    		1 | resource "aws_s3_bucket" "publisher_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-publisher-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs generated by Publisher in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
    	FAILED for resource: aws_s3_bucket.search_analytics
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
    
    		1 | resource "aws_s3_bucket" "search_analytics" {
    		2 |   bucket        = "govuk-search-analytics-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "Search analytics reports for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
    	FAILED for resource: aws_cloudfront_distribution.www_distribution
    	File: /terraform/deployments/cloudfront/main.tf:319-421
    	Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_47: "Ensure AWS CloudFront attached WAFv2 WebACL is configured with AMR for Log4j Vulnerability"
    	FAILED for resource: aws_cloudfront_distribution.assets_distribution
    	File: /terraform/deployments/cloudfront/main.tf:423-480
    	Guide: https://docs.bridgecrew.io/docs/ensure-aws-cloudfront-attached-wafv2-webacl-is-configured-with-amr-for-log4j-vulnerability
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
    	FAILED for resource: aws_kms_key.eks
    	File: /terraform/deployments/cluster-infrastructure/main.tf:104-108
    
    		104 | resource "aws_kms_key" "eks" {
    		105 |   description             = "EKS Secret Encryption Key"
    		106 |   deletion_window_in_days = 7
    		107 |   enable_key_rotation     = true
    		108 | }
    
    Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
    	FAILED for resource: aws_secretsmanager_secret.grafana_db
    	File: /terraform/deployments/cluster-infrastructure/grafana.tf:129-132
    
    		129 | resource "aws_secretsmanager_secret" "grafana_db" {
    		130 |   name                    = "${module.eks.cluster_name}/grafana/database"
    		131 |   recovery_window_in_days = var.secrets_recovery_window_in_days
    		132 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.tempo
    	File: /terraform/deployments/cluster-services/tempo.tf:6-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		6 | resource "aws_s3_bucket" "tempo" {
    		7 |   bucket = "govuk-${var.govuk_environment}-tempo"
    		8 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.app_assets
    	File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		1 | resource "aws_s3_bucket" "app_assets" {
    		2 |   bucket        = "govuk-app-assets-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "App static assets for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.location_api_import_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		1 | resource "aws_s3_bucket" "location_api_import_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-locations-api-import-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
    	FAILED for resource: aws_s3_bucket.publisher_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-16-enable-versioning.html
    
    		1 | resource "aws_s3_bucket" "publisher_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-publisher-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs generated by Publisher in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: aws_security_group.rds
    	File: /terraform/deployments/datagovuk-infrastructure/security.tf:1-5
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		1 | resource "aws_security_group" "rds" {
    		2 |   name        = "ckan-rds-eks"
    		3 |   description = "Allow access to CKAN DB from EKS nodes"
    		4 |   vpc_id      = data.terraform_remote_state.infra_vpc.outputs.vpc_id
    		5 | }
    
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: aws_security_group.eks_ingress_www_origin
    	File: /terraform/deployments/govuk-publishing-infrastructure/security.tf:168-175
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		168 | resource "aws_security_group" "eks_ingress_www_origin" {
    		169 |   name        = "eks_ingress_www_origin"
    		170 |   vpc_id      = data.terraform_remote_state.infra_vpc.outputs.vpc_id
    		171 |   description = "ALBs serving EKS www-origin ingress (and signon ALBs in non-prod environments)."
    		172 |   tags = {
    		173 |     Name = "eks_ingress_www_origin"
    		174 |   }
    		175 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.cluster_public
    	File: /terraform/deployments/cluster-infrastructure/external_dns.tf:48-51
    
    		48 | resource "aws_route53_zone" "cluster_public" {
    		49 |   name          = local.external_dns_zone_name
    		50 |   force_destroy = var.force_destroy
    		51 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.tempo
    	File: /terraform/deployments/cluster-services/tempo.tf:6-8
    
    		6 | resource "aws_s3_bucket" "tempo" {
    		7 |   bucket = "govuk-${var.govuk_environment}-tempo"
    		8 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.app_assets
    	File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
    
    		1 | resource "aws_s3_bucket" "app_assets" {
    		2 |   bucket        = "govuk-app-assets-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "App static assets for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.location_api_import_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
    
    		1 | resource "aws_s3_bucket" "location_api_import_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-locations-api-import-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.publisher_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
    
    		1 | resource "aws_s3_bucket" "publisher_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-publisher-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs generated by Publisher in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
    	FAILED for resource: aws_s3_bucket.search_analytics
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
    
    		1 | resource "aws_s3_bucket" "search_analytics" {
    		2 |   bucket        = "govuk-search-analytics-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "Search analytics reports for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_37: "Ensure Codecommit associates an approval rule"
    	FAILED for resource: aws_codecommit_repository.govuk_repos
    	File: /terraform/deployments/github/mirror.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-codecommit-is-associated-with-an-approval-rule.html
    
    		1 | resource "aws_codecommit_repository" "govuk_repos" {
    		2 |   for_each = data.github_repository.govuk
    		3 | 
    		4 |   repository_name = each.value.name
    		5 |   description     = each.value.description
    		6 |   default_branch  = each.value.default_branch
    		7 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.tempo
    	File: /terraform/deployments/cluster-services/tempo.tf:6-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		6 | resource "aws_s3_bucket" "tempo" {
    		7 |   bucket = "govuk-${var.govuk_environment}-tempo"
    		8 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.app_assets
    	File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		1 | resource "aws_s3_bucket" "app_assets" {
    		2 |   bucket        = "govuk-app-assets-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "App static assets for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.location_api_import_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		1 | resource "aws_s3_bucket" "location_api_import_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-locations-api-import-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.publisher_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		1 | resource "aws_s3_bucket" "publisher_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-publisher-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs generated by Publisher in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
    	FAILED for resource: aws_s3_bucket.search_analytics
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/s3-policies/s3-13-enable-logging.html
    
    		1 | resource "aws_s3_bucket" "search_analytics" {
    		2 |   bucket        = "govuk-search-analytics-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "Search analytics reports for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: aws_s3_bucket.tempo
    	File: /terraform/deployments/cluster-services/tempo.tf:6-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		6 | resource "aws_s3_bucket" "tempo" {
    		7 |   bucket = "govuk-${var.govuk_environment}-tempo"
    		8 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: aws_s3_bucket.app_assets
    	File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		1 | resource "aws_s3_bucket" "app_assets" {
    		2 |   bucket        = "govuk-app-assets-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "App static assets for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: aws_s3_bucket.location_api_import_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		1 | resource "aws_s3_bucket" "location_api_import_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-locations-api-import-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: aws_s3_bucket.publisher_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		1 | resource "aws_s3_bucket" "publisher_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-publisher-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs generated by Publisher in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
    	FAILED for resource: aws_s3_bucket.search_analytics
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached.html
    
    		1 | resource "aws_s3_bucket" "search_analytics" {
    		2 |   bucket        = "govuk-search-analytics-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "Search analytics reports for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.tempo
    	File: /terraform/deployments/cluster-services/tempo.tf:6-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		6 | resource "aws_s3_bucket" "tempo" {
    		7 |   bucket = "govuk-${var.govuk_environment}-tempo"
    		8 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.app_assets
    	File: /terraform/deployments/govuk-publishing-infrastructure/app_assets_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		1 | resource "aws_s3_bucket" "app_assets" {
    		2 |   bucket        = "govuk-app-assets-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "App static assets for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.location_api_import_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/locations_api_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		1 | resource "aws_s3_bucket" "location_api_import_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-locations-api-import-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs used for importing postcode information into Locations API in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.publisher_csvs
    	File: /terraform/deployments/govuk-publishing-infrastructure/publisher_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		1 | resource "aws_s3_bucket" "publisher_csvs" {
    		2 |   bucket        = "govuk-${var.govuk_environment}-publisher-csvs"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "CSVs generated by Publisher in ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
    	FAILED for resource: aws_s3_bucket.search_analytics
    	File: /terraform/deployments/govuk-publishing-infrastructure/search_analytics_s3.tf:1-8
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default.html
    
    		1 | resource "aws_s3_bucket" "search_analytics" {
    		2 |   bucket        = "govuk-search-analytics-${var.govuk_environment}"
    		3 |   force_destroy = var.force_destroy
    		4 |   tags = {
    		5 |     Name        = "Search analytics reports for ${var.govuk_environment}"
    		6 |     Environment = var.govuk_environment
    		7 |   }
    		8 | }
    
    Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
    	FAILED for resource: aws_cloudfront_distribution.www_distribution
    	File: /terraform/deployments/cloudfront/main.tf:319-421
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_32: "Ensure CloudFront distribution has a response headers policy attached"
    	FAILED for resource: aws_cloudfront_distribution.assets_distribution
    	File: /terraform/deployments/cloudfront/main.tf:423-480
    	Guide: https://docs.bridgecrew.io/docs/bc_aws_networking_65
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.cluster_public
    	File: /terraform/deployments/cluster-infrastructure/external_dns.tf:48-51
    
    		48 | resource "aws_route53_zone" "cluster_public" {
    		49 |   name          = local.external_dns_zone_name
    		50 |   force_destroy = var.force_destroy
    		51 | }
    
    Check: CKV2_AWS_40: "Ensure AWS IAM policy does not allow full IAM privileges"
    	FAILED for resource: aws_iam_policy.tfc_policy
    	File: /terraform/deployments/tfc-configuration/aws/main.tf:38-94
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    dockerfile scan results:
    
    Passed checks: 132, Failed checks: 2, Skipped checks: 0
    
    Check: CKV_DOCKER_4: "Ensure that COPY is used instead of ADD in Dockerfiles"
    	FAILED for resource: /images/toolbox/Dockerfile.ADD
    	File: /images/toolbox/Dockerfile:11-11
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-copy-is-used-instead-of-add-in-dockerfiles.html
    
    		11 | ADD ${github_apt_repo}/githubcli-archive-keyring.gpg github.gpg
    
    Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
    	FAILED for resource: /images/toolbox/Dockerfile.
    	File: /images/toolbox/Dockerfile:1-52
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    secrets scan results:
    
    Passed checks: 0, Failed checks: 6, Skipped checks: 0
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: 4d26b34fa28f6e91a191c88ba3d4e1419d68fdc1
    	File: /terraform/deployments/cluster-infrastructure/external_secrets_iam.tf:8-9
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		8 |   external_secrets_service_account_name = "exte************"
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: c73577e34679e7ef336b540dbb34efc28c8e2652
    	File: /terraform/deployments/cluster-services/dex.tf:53-54
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		53 |           secretEnv    = "ARGO_W**********************"
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: 79ad3622a7a1970fcc14e645ab4bbf3dadc1adbd
    	File: /terraform/deployments/cluster-services/dex.tf:59-60
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		59 |           secretEnv    = "ARGOC***************"
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: bc307ba77099bb4925b71e90012dfaec2161f6cd
    	File: /terraform/deployments/cluster-services/dex.tf:65-66
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		65 |           secretEnv    = "GRAFA****************"
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: d501e390e19907f0ada5caeeb48987c78788b17b
    	File: /terraform/deployments/cluster-services/dex.tf:71-72
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		71 |           secretEnv    = "PROMET******************"
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: 49f89ae8ca7867458586c1c25136df416c7da8de
    	File: /terraform/deployments/cluster-services/dex.tf:77-78
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		77 |           secretEnv    = "ALERT_*********************"
    
    github_actions scan results:
    
    Passed checks: 322, Failed checks: 14, Skipped checks: 0
    
    Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
    	FAILED for resource: on(Build and publish toolbox image to ECR)
    	File: /.github/workflows/build-toolbox-image.yml:6-13
    
    		6  |       gitRef:
    		7  |         description: 'Commit, tag or branch name to deploy'
    		8  |         required: true
    		9  |         type: string
    		10 |         default: 'main'
    		11 | 
    		12 |   push:
    		13 |     branches:
    
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Build and publish toolbox image to ECR)
    	File: /.github/workflows/build-toolbox-image.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Run Jasmine)
    	File: /.github/workflows/jasmine.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Set automatic deploys)
    	File: /.github/workflows/set-automatic-deploys.yml:78-79
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Run RuboCop)
    	File: /.github/workflows/rubocop.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Release)
    	File: /.github/workflows/release.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Deploy)
    	File: /.github/workflows/deploy.yml:85-86
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Terraform validation and linting)
    	File: /.github/workflows/ci-terraform.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Publish a Rubygem)
    	File: /.github/workflows/publish-rubygem.yml:19-20
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Run Brakeman)
    	File: /.github/workflows/brakeman.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Run Stylelint)
    	File: /.github/workflows/stylelint.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Run Standardx)
    	File: /.github/workflows/standardx.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(CodeQL Analysis)
    	File: /.github/workflows/codeql-analysis.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Build and push image)
    	File: /.github/workflows/build-and-push-image.yml:0-1