Experience Builder


Terraform

< Back

Repository
cloudposse / terraform-aws-components
Description

Opinionated, self-contained Terraform root modules that each solve one, specific problem

Stars

 428

Failed Checks
  •  Security Scanning
     Linting

  • Scan Date

    2023-10-30 17:57:40

    Security Scanning

    This repository failed the Experience Builder Terraform Module's Security Scanning validation. This means that a security scanning tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to:

    Checkov Output
                    
                      2023-10-05 14:48:20,021 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ACME/infrastructure.git?ref=0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,021 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/ACME/infrastructure.git//components/terraform/account-map/modules/iam-roles?ref=0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,021 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.25.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,021 [MainThread  ] [WARNI]  Failed to download module cloudposse/security-group/aws:2.0.0-rc1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,021 [MainThread  ] [WARNI]  Failed to download module cloudposse/ec2-autoscale-group/aws:0.34.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,022 [MainThread  ] [WARNI]  Failed to download module cloudposse/stack-config/yaml//modules/remote-state:1.4.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,022 [MainThread  ] [WARNI]  Failed to download module cloudposse/transit-gateway/aws:0.9.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,027 [MainThread  ] [WARNI]  Failed to download module cloudposse/utils/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,028 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.21.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,028 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-eks-iam-role.git?ref=tags/0.3.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,029 [MainThread  ] [WARNI]  Failed to download module cloudposse/utils/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,029 [MainThread  ] [WARNI]  Failed to download module cloudposse/stack-config/yaml//modules/remote-state:1.4.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,029 [MainThread  ] [WARNI]  Failed to download module cloudposse/guardduty/aws:0.5.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloud-infrastructure-automation/spacelift:0.55.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module cloudposse/eks-cluster/aws:0.44.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module cloudposse/utils/aws:0.8.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module cloudposse/eks-node-group/aws:0.27.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module DrFaust92/ebs-csi-driver/kubernetes:3.5.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module cloudposse/helm-release/aws:0.9.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module cloudposse/security-hub/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module cloudposse/stack-config/yaml//modules/remote-state:0.22.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,030 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-organization-access-group.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ssm-parameter-store?ref=tags/0.1.5:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.5.3:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=tags/0.15.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.5.4:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-iam.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=tags/0.6.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-chamber-user.git?ref=tags/0.1.7:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,031 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-s3-bucket.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudformation-stack-set.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ssm-parameter-chamber-reader.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudformation-stack.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=tags/0.16.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudtrail.git?ref=tags/0.7.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kms-key.git?ref=tags/0.1.3:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudwatch-logs.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,032 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudtrail-s3-bucket.git?ref=tags/0.3.2:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.2.2:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-s3-website.git?ref=tags/0.5.2:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudfront-cdn.git?ref=tags/0.5.7:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-replica.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-cluster.git?ref=tags/0.8.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.4.2:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.8.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-metadata.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,033 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3-bucket.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-rds.git?ref=tags/0.4.4:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-elasticache-redis.git?ref=tags/0.7.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-rds-cluster-instance-group.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.1.5:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module stage:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-codefresh-backing-services.git?ref=tags/0.8.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-acm-request-certificate.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-state-backend.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,034 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ssm-tls-ssh-key-pair.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,035 [MainThread  ] [WARNI]  Failed to download module subnets:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,035 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-cloudfront-cdn.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,035 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.14.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,035 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-iam.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,035 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-peering.git?ref=tags/0.1.2:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,035 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-terraform-label.git?ref=tags/0.2.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,035 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.3.3:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,035 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.12.3:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,036 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-account-settings.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,036 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-tfstate-backend.git?ref=tags/0.7.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,036 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-terraform-label.git?ref=tags/0.1.6:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,036 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.3.4:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,036 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.3.6:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,036 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-eks-cluster.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,036 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-eks-workers.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,036 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-sns-topic.git?ref=0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-sns-cloudwatch-alarms.git?ref=0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=tags/0.3.2:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-external-dns.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-network.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-aws-alb-ingress.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-chart-repo.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3-bucket.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-role.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-iam-authenticator-config.git?ref=tags/0.2.2:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,037 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-efs.git?ref=tags/0.6.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,038 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-datadog-aws-integration.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,038 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-metadata.git?ref=tags/0.2.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,038 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=tags/0.5.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,038 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-alb.git?ref=tags/0.7.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,038 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-atlantis.git?ref=tags/0.14.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,043 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc.git?ref=tags/0.8.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,043 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamic-subnets.git?ref=tags/0.18.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,043 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.16.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,043 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-sns-lambda-notify-slack?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,043 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-flow-logs-s3-bucket.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,043 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-route53-cluster-zone.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,043 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecs-web-app.git?ref=tags/0.24.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-dynamodb.git?ref=tags/0.15.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-backup.git?ref=tags/0.1.1:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-role.git?ref=tags/0.3.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-network.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-elasticsearch.git?ref=tags/0.14.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-lambda-elasticsearch-cleanup.git?ref=tags/0.6.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-peering.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module ns:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,044 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ses-lambda-forwarder.git?ref=tags/0.2.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,045 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-teleport-storage.git?ref=tags/0.4.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,045 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-null-label.git?ref=tags/0.3.3:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,045 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-vpc-peering-multi-account.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,045 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-opsgenie-incident-management.git//modules/config?ref=0.9.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,045 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-kops-data-launch-configurations.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,045 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ses.git?ref=tags/0.1.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,045 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-rds.git?ref=tags/0.19.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,046 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-elasticache-redis.git?ref=tags/0.13.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,046 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-assumed-roles.git?ref=tags/0.6.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,046 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-ecr.git?ref=0.16.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,046 [MainThread  ] [WARNI]  Failed to download module git::https://github.com/cloudposse/terraform-aws-iam-system-user.git?ref=0.9.0:None (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,046 [MainThread  ] [WARNI]  Failed to download module cloudposse/label/null:0.24.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,046 [MainThread  ] [WARNI]  Failed to download module cloudposse/waf/aws:0.0.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,046 [MainThread  ] [WARNI]  Failed to download module cloudposse/helm-release/aws:0.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,046 [MainThread  ] [WARNI]  Failed to download module cloudposse/stack-config/yaml//modules/remote-state:0.22.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,052 [MainThread  ] [WARNI]  Failed to download module cloudposse/iam-policy/aws:0.2.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,052 [MainThread  ] [WARNI]  Failed to download module cloudposse/eks-iam-role/aws:0.10.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,052 [MainThread  ] [WARNI]  Failed to download module cloudposse/ssm-parameter-store/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,052 [MainThread  ] [WARNI]  Failed to download module cloudposse/stack-config/yaml//modules/remote-state:1.5.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,052 [MainThread  ] [WARNI]  Failed to download module cloudposse/kinesis-stream/aws:0.3.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,052 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecr/aws:0.36.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,052 [MainThread  ] [WARNI]  Failed to download module cloudposse/transit-gateway/aws:0.11.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,053 [MainThread  ] [WARNI]  Failed to download module cloudposse/transit-gateway/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,053 [MainThread  ] [WARNI]  Failed to download module cloudposse/nlb/aws:0.12.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,053 [MainThread  ] [WARNI]  Failed to download module cloudposse/api-gateway/aws:0.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,053 [MainThread  ] [WARNI]  Failed to download module cloudposse/ssm-parameter-store/aws:0.11.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,053 [MainThread  ] [WARNI]  Failed to download module cloudposse/acm-request-certificate/aws:0.16.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,053 [MainThread  ] [WARNI]  Failed to download module cloudposse/waf/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,053 [MainThread  ] [WARNI]  Failed to download module cloudposse/iam-policy/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,054 [MainThread  ] [WARNI]  Failed to download module cloudposse/s3-bucket/aws:3.1.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,054 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloudtrail/aws:0.21.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,054 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-container-definition/aws:0.58.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,054 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-alb-service-task/aws:0.66.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,054 [MainThread  ] [WARNI]  Failed to download module cloudposse/inspector/aws:0.2.8 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,054 [MainThread  ] [WARNI]  Failed to download module cloudposse/backup/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,054 [MainThread  ] [WARNI]  Failed to download module cloudposse/security-group/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,054 [MainThread  ] [WARNI]  Failed to download module cloudposse/transfer-sftp/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/route53-resolver-dns-firewall/aws:0.2.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/acm-request-certificate/aws:0.16.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloudfront-s3-cdn/aws:0.92.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloudfront-s3-cdn/aws//modules/lambda@edge:0.82.4 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/mwaa/aws:0.4.8 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/iam-policy/aws:0.4.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloudwatch-logs/aws:0.6.5 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/kms-key/aws:0.12.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,055 [MainThread  ] [WARNI]  Failed to download module cloudposse/lambda-function/aws:0.4.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,056 [MainThread  ] [WARNI]  Failed to download module cloudposse/helm-release/aws:0.10.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,056 [MainThread  ] [WARNI]  Failed to download module cloudposse/ec2-client-vpn/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,056 [MainThread  ] [WARNI]  Failed to download module cloudposse/security-group/aws:2.2.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,056 [MainThread  ] [WARNI]  Failed to download module cloudposse/rds/aws:0.38.5 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,056 [MainThread  ] [WARNI]  Failed to download module cloudposse/iam-role/aws:0.17.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,056 [MainThread  ] [WARNI]  Failed to download module cloudposse/config/yaml:1.0.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,056 [MainThread  ] [WARNI]  Failed to download module cloudposse/config/yaml//modules/deepmerge:1.0.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,056 [MainThread  ] [WARNI]  Failed to download module cloudposse/platform/datadog//modules/synthetics:1.0.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,057 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloud-infrastructure-automation/spacelift//modules/spacelift-space:1.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,057 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloud-infrastructure-automation/spacelift//modules/spacelift-policy:1.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,057 [MainThread  ] [WARNI]  Failed to download module cloudposse/ec2-autoscale-group/aws:0.35.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,057 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloud-infrastructure-automation/spacelift//modules/spacelift-stacks-from-atmos-config:1.0.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,057 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloud-infrastructure-automation/spacelift//modules/spacelift-stack:1.0.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,057 [MainThread  ] [WARNI]  Failed to download module cloudposse/config-storage/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,057 [MainThread  ] [WARNI]  Failed to download module cloudposse/elasticache-redis/aws:0.52.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,057 [MainThread  ] [WARNI]  Failed to download module cloudposse/ssm-parameter-store/aws:0.9.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module aws-ia/ipam/aws:1.2.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module cloudposse/incident-management/opsgenie//modules/team:0.16.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module cloudposse/incident-management/opsgenie//modules/service:0.16.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module cloudposse/incident-management/opsgenie//modules/schedule:0.16.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module cloudposse/incident-management/opsgenie//modules/team_routing_rule:0.16.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module cloudposse/incident-management/opsgenie//modules/service_incident_rule:0.16.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module cloudposse/incident-management/opsgenie//modules/api_integration:0.16.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc/aws:2.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,058 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc/aws//modules/vpc-endpoints:2.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,059 [MainThread  ] [WARNI]  Failed to download module cloudposse/dynamic-subnets/aws:2.3.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,059 [MainThread  ] [WARNI]  Failed to download module cloudposse/iam-account-settings/aws:0.4.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,059 [MainThread  ] [WARNI]  Failed to download module cloudposse/service-quotas/aws:0.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,059 [MainThread  ] [WARNI]  Failed to download module cloudposse/budgets/aws:0.2.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,059 [MainThread  ] [WARNI]  Failed to download module cloudposse/datadog-lambda-forwarder/aws:1.5.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,059 [MainThread  ] [WARNI]  Failed to download module cloudposse/tfstate-backend/aws:1.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,059 [MainThread  ] [WARNI]  Failed to download module cloudposse/eks-cluster/aws:2.9.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,059 [MainThread  ] [WARNI]  Failed to download module cloudposse/eks-iam-role/aws:2.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/eks-fargate-profile/aws:1.3.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/eks-node-group/aws:2.11.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/sso/aws//modules/permission-sets:1.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/sso/aws//modules/account-assignments:1.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/sns-topic/aws:0.20.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/config/aws//modules/conformance-pack:1.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/config/aws:1.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/alb/aws:1.10.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,060 [MainThread  ] [WARNI]  Failed to download module cloudposse/ssm-tls-ssh-key-pair/aws:0.10.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,061 [MainThread  ] [WARNI]  Failed to download module cloudposse/amplify-app/aws:0.2.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,061 [MainThread  ] [WARNI]  Failed to download module cloudposse/route53-cluster-hostname/aws:0.12.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,061 [MainThread  ] [WARNI]  Failed to download module cloudposse/documentdb-cluster/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,061 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloudwatch-logs/aws:0.6.8 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,061 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-container-definition/aws:0.60.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,061 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-alb-service-task/aws:0.71.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/alb-ingress/aws:0.28.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/route53-alias/aws:0.13.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-cloudwatch-autoscaling/aws:0.7.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-cloudwatch-sns-alarms/aws:0.12.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloudwatch-logs/aws:0.6.6 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/ecs-cluster/aws:0.4.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/alb/aws:1.5.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/dynamodb/aws:0.31.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,062 [MainThread  ] [WARNI]  Failed to download module cloudposse/global-accelerator/aws//modules/endpoint-group:0.5.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/elasticsearch/aws:0.42.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/lambda-elasticsearch-cleanup/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/mq-broker/aws:0.14.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/module-artifact/external:0.8.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/service-control-policies/aws:0.9.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/redshift-cluster/aws:1.0.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/s3-bucket/aws:3.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/acm-request-certificate/aws:0.16.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,063 [MainThread  ] [WARNI]  Failed to download module cloudposse/cloudtrail-s3-bucket/aws:0.26.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/acm-request-certificate/aws:0.17.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/global-accelerator/aws:0.5.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/ses/aws:0.22.3 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/api-gateway/aws//modules/account-settings:0.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc-peering-multi-account/aws:0.19.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/datadog-integration/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/rds-cluster/aws:1.3.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/athena/aws:0.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/lakeformation/aws:0.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/rds-cluster/aws:1.3.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,064 [MainThread  ] [WARNI]  Failed to download module cloudposse/github-action-token-rotator/aws:0.1.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/platform/datadog//modules/monitors:1.0.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/vpc-flow-logs-s3-bucket/aws:0.18.0 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/efs/aws:0.32.7 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/network-firewall/aws:0.3.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/ec2-instance/aws:0.32.2 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/dms/aws//modules/dms-iam:0.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/dms/aws//modules/dms-endpoint:0.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/dms/aws//modules/dms-replication-task:0.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,065 [MainThread  ] [WARNI]  Failed to download module cloudposse/dms/aws//modules/dms-replication-instance:0.1.1 (for external modules, the --download-external-modules flag is required)
    2023-10-05 14:48:20,179 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/datadog-configuration/modules/datadog_keys:latest failed to load via 
    2023-10-05 14:48:20,183 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/datadog-configuration/modules/datadog_keys, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/datadog-configuration/modules/datadog_keys
    2023-10-05 14:48:20,183 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/account-map/modules/iam-roles:latest failed to load via 
    2023-10-05 14:48:20,183 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/account-map/modules/iam-roles
    2023-10-05 14:48:20,184 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/account-map/modules/iam-roles:latest failed to load via 
    2023-10-05 14:48:20,184 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/account-map/modules/iam-roles
    2023-10-05 14:48:20,190 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/mixins/account-map/modules/team-assume-role-policy:latest failed to load via 
    2023-10-05 14:48:20,205 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/mixins/account-map/modules/team-assume-role-policy, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/mixins/account-map/modules/team-assume-role-policy
    2023-10-05 14:48:22,492 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles:latest failed to load via 
    2023-10-05 14:48:22,495 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles
    2023-10-05 14:48:22,553 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles:latest failed to load via 
    2023-10-05 14:48:22,558 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/securityhub/account-map/modules/iam-roles
    2023-10-05 14:48:22,676 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy:latest failed to load via 
    2023-10-05 14:48:22,694 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy
    2023-10-05 14:48:24,299 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/aws/account-map/modules/iam-roles:latest failed to load via 
    2023-10-05 14:48:24,299 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/aws/account-map/modules/iam-roles, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/deprecated/aws/account-map/modules/iam-roles
    2023-10-05 14:48:24,875 [MainThread  ] [WARNI]  Module /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy:latest failed to load via 
    2023-10-05 14:48:24,875 [MainThread  ] [WARNI]  Unable to load module - source: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy, version: latest, error: /home/brett/smallbets/ladoj/gh_scraper/tfcheck/terraform-aws-components/modules/account-map/modules/iam-assume-role-policy
    terraform scan results:
    
    Passed checks: 1215, Failed checks: 258, Skipped checks: 5, Parsing errors: 2
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.acl_arn
    	File: /deprecated/aws-waf-acl/main.tf:30-37
    
    		30 | resource "aws_ssm_parameter" "acl_arn" {
    		31 |   count       = local.enabled ? 1 : 0
    		32 |   name        = "${var.ssm_path_prefix}/${var.acl_name}/arn"
    		33 |   value       = module.aws_waf.arn
    		34 |   description = "ARN for WAF web ACL ${var.acl_name}"
    		35 |   type        = "String"
    		36 |   overwrite   = true
    		37 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.account_id
    	File: /deprecated/aws/accounts/stage/main.tf:16-23
    
    		16 | resource "aws_ssm_parameter" "account_id" {
    		17 |   count       = local.count
    		18 |   name        = "/${var.namespace}/${var.stage}/account_id"
    		19 |   description = "AWS Account ID"
    		20 |   type        = "String"
    		21 |   value       = local.account_id
    		22 |   overwrite   = "true"
    		23 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.account_arn
    	File: /deprecated/aws/accounts/stage/main.tf:25-32
    
    		25 | resource "aws_ssm_parameter" "account_arn" {
    		26 |   count       = local.count
    		27 |   name        = "/${var.namespace}/${var.stage}/account_arn"
    		28 |   description = "AWS Account ARN"
    		29 |   type        = "String"
    		30 |   value       = local.account_arn
    		31 |   overwrite   = "true"
    		32 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.organization_account_access_role
    	File: /deprecated/aws/accounts/stage/main.tf:34-41
    
    		34 | resource "aws_ssm_parameter" "organization_account_access_role" {
    		35 |   count       = local.count
    		36 |   name        = "/${var.namespace}/${var.stage}/organization_account_access_role"
    		37 |   description = "AWS Organization Account Access Role"
    		38 |   type        = "String"
    		39 |   value       = local.organization_account_access_role
    		40 |   overwrite   = "true"
    		41 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.certificate_arn_parameter
    	File: /deprecated/aws/acm-teleport/main.tf:23-29
    
    		23 | resource "aws_ssm_parameter" "certificate_arn_parameter" {
    		24 |   name        = format(var.chamber_parameter_name, var.chamber_service, var.certificate_arn_parameter_name)
    		25 |   value       = module.certificate.arn
    		26 |   description = "Teleport ACM-issued TLS Certificate AWS ARN"
    		27 |   type        = "String"
    		28 |   overwrite   = "true"
    		29 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.certificate_arn_parameter
    	File: /deprecated/aws/acm/main.tf:22-28
    
    		22 | resource "aws_ssm_parameter" "certificate_arn_parameter" {
    		23 |   name        = format(var.chamber_parameter_name_format, var.chamber_service, var.certificate_arn_parameter_name)
    		24 |   value       = module.certificate.arn
    		25 |   description = "ACM-issued TLS Certificate ARN"
    		26 |   type        = "String"
    		27 |   overwrite   = true
    		28 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_logs
    	File: /deprecated/aws/audit-cloudtrail/cloudwatch_logs.tf:33-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		33 | data "aws_iam_policy_document" "kms_key_logs" {
    		34 |   statement {
    		35 |     sid    = "Allow CloudWatch to Encrypt with the key"
    		36 |     effect = "Allow"
    		37 | 
    		38 |     actions = [
    		39 |       "kms:Encrypt*",
    		40 |       "kms:Decrypt*",
    		41 |       "kms:ReEncrypt*",
    		42 |       "kms:GenerateDataKey*",
    		43 |       "kms:Describe*",
    		44 |     ]
    		45 | 
    		46 |     resources = [
    		47 |       "*",
    		48 |     ]
    		49 | 
    		50 |     principals {
    		51 |       type = "Service"
    		52 | 
    		53 |       identifiers = [
    		54 |         "logs.${local.region}.amazonaws.com",
    		55 |       ]
    		56 |     }
    		57 |   }
    		58 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms_key_logs
    	File: /deprecated/aws/audit-cloudtrail/cloudwatch_logs.tf:33-58
    
    		33 | data "aws_iam_policy_document" "kms_key_logs" {
    		34 |   statement {
    		35 |     sid    = "Allow CloudWatch to Encrypt with the key"
    		36 |     effect = "Allow"
    		37 | 
    		38 |     actions = [
    		39 |       "kms:Encrypt*",
    		40 |       "kms:Decrypt*",
    		41 |       "kms:ReEncrypt*",
    		42 |       "kms:GenerateDataKey*",
    		43 |       "kms:Describe*",
    		44 |     ]
    		45 | 
    		46 |     resources = [
    		47 |       "*",
    		48 |     ]
    		49 | 
    		50 |     principals {
    		51 |       type = "Service"
    		52 | 
    		53 |       identifiers = [
    		54 |         "logs.${local.region}.amazonaws.com",
    		55 |       ]
    		56 |     }
    		57 |   }
    		58 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.aws_metrics_iam_role
    	File: /deprecated/aws/aws-metrics-role/main.tf:117-123
    
    		117 | resource "aws_ssm_parameter" "aws_metrics_iam_role" {
    		118 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "aws_metrics_iam_role")
    		119 |   value       = aws_iam_role.default.name
    		120 |   description = "IAM role name for AWS metrics access"
    		121 |   type        = "String"
    		122 |   overwrite   = "true"
    		123 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.aws_metrics_iam_namespace[0]
    	File: /deprecated/aws/aws-metrics-role/main.tf:125-132
    
    		125 | resource "aws_ssm_parameter" "aws_metrics_iam_namespace" {
    		126 |   count       = length(var.cloudwatch_namespace) > 0 ? 1 : 0
    		127 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "aws_metrics_iam_namespace")
    		128 |   value       = var.cloudwatch_namespace
    		129 |   description = "Kubernetes namespace for AWS metrics accessors"
    		130 |   type        = "String"
    		131 |   overwrite   = "true"
    		132 | }
    
    Check: CKV_AWS_274: "Disallow IAM roles, users, and groups from using the AWS AdministratorAccess policy"
    	FAILED for resource: aws_iam_role_policy_attachment.administrator_access
    	File: /deprecated/aws/bootstrap/main.tf:49-52
    
    		49 | resource "aws_iam_role_policy_attachment" "administrator_access" {
    		50 |   role       = aws_iam_role.bootstrap.name
    		51 |   policy_arn = "arn:aws:iam::aws:policy/AdministratorAccess"
    		52 | }
    
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: aws_iam_policy_document.executor
    	File: /deprecated/aws/cis-executor/main.tf:36-271
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.executor
    	File: /deprecated/aws/cis-executor/main.tf:36-271
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.executor
    	File: /deprecated/aws/cis-executor/main.tf:36-271
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_logs
    	File: /deprecated/aws/cloudtrail/cloudwatch_logs.tf:33-58
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		33 | data "aws_iam_policy_document" "kms_key_logs" {
    		34 |   statement {
    		35 |     sid    = "Allow CloudWatch to Encrypt with the key"
    		36 |     effect = "Allow"
    		37 | 
    		38 |     actions = [
    		39 |       "kms:Encrypt*",
    		40 |       "kms:Decrypt*",
    		41 |       "kms:ReEncrypt*",
    		42 |       "kms:GenerateDataKey*",
    		43 |       "kms:Describe*",
    		44 |     ]
    		45 | 
    		46 |     resources = [
    		47 |       "*",
    		48 |     ]
    		49 | 
    		50 |     principals {
    		51 |       type = "Service"
    		52 | 
    		53 |       identifiers = [
    		54 |         "logs.${local.region}.amazonaws.com",
    		55 |       ]
    		56 |     }
    		57 |   }
    		58 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms_key_logs
    	File: /deprecated/aws/cloudtrail/cloudwatch_logs.tf:33-58
    
    		33 | data "aws_iam_policy_document" "kms_key_logs" {
    		34 |   statement {
    		35 |     sid    = "Allow CloudWatch to Encrypt with the key"
    		36 |     effect = "Allow"
    		37 | 
    		38 |     actions = [
    		39 |       "kms:Encrypt*",
    		40 |       "kms:Decrypt*",
    		41 |       "kms:ReEncrypt*",
    		42 |       "kms:GenerateDataKey*",
    		43 |       "kms:Describe*",
    		44 |     ]
    		45 | 
    		46 |     resources = [
    		47 |       "*",
    		48 |     ]
    		49 | 
    		50 |     principals {
    		51 |       type = "Service"
    		52 | 
    		53 |       identifiers = [
    		54 |         "logs.${local.region}.amazonaws.com",
    		55 |       ]
    		56 |     }
    		57 |   }
    		58 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.datadog_cluster_agent_token
    	File: /deprecated/aws/datadog/main.tf:45-51
    
    		45 | resource "aws_ssm_parameter" "datadog_cluster_agent_token" {
    		46 |   name        = format(var.chamber_parameter_name, local.chamber_service, "datadog_cluster_agent_token")
    		47 |   value       = random_string.tokens.result
    		48 |   description = "A cluster-internal secret for agent-to-agent communication. Must be 32+ characters a-zA-Z"
    		49 |   type        = "String"
    		50 |   overwrite   = "true"
    		51 | }
    
    Check: CKV_AWS_65: "Ensure container insights are enabled on ECS cluster"
    	FAILED for resource: aws_ecs_cluster.default
    	File: /deprecated/aws/ecs/ecs.tf:12-14
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-logging-policies/bc-aws-logging-11.html
    
    		12 | resource "aws_ecs_cluster" "default" {
    		13 |   name = module.ecs_cluster_label.id
    		14 | }
    
    Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
    	FAILED for resource: aws_sns_topic.default
    	File: /deprecated/aws/ecs/sns.tf:25-27
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/general-15.html
    
    		25 | resource "aws_sns_topic" "default" {
    		26 |   name_prefix = module.sns_topic_label.id
    		27 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.autoscaler
    	File: /deprecated/aws/kops-aws-platform/autoscaler-role.tf:1-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		1  | data "aws_iam_policy_document" "autoscaler" {
    		2  |   statement {
    		3  |     sid = "AutoScaler"
    		4  | 
    		5  |     actions = [
    		6  |       "autoscaling:DescribeAutoScalingGroups",
    		7  |       "autoscaling:DescribeAutoScalingInstances",
    		8  |       "autoscaling:DescribeLaunchConfigurations",
    		9  |       "autoscaling:DescribeTags",
    		10 |       "autoscaling:SetDesiredCapacity",
    		11 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
    		12 |     ]
    		13 | 
    		14 |     resources = ["*"]
    		15 |     effect    = "Allow"
    		16 |   }
    		17 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.autoscaler
    	File: /deprecated/aws/kops-aws-platform/autoscaler-role.tf:1-17
    
    		1  | data "aws_iam_policy_document" "autoscaler" {
    		2  |   statement {
    		3  |     sid = "AutoScaler"
    		4  | 
    		5  |     actions = [
    		6  |       "autoscaling:DescribeAutoScalingGroups",
    		7  |       "autoscaling:DescribeAutoScalingInstances",
    		8  |       "autoscaling:DescribeLaunchConfigurations",
    		9  |       "autoscaling:DescribeTags",
    		10 |       "autoscaling:SetDesiredCapacity",
    		11 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
    		12 |     ]
    		13 | 
    		14 |     resources = ["*"]
    		15 |     effect    = "Allow"
    		16 |   }
    		17 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_autoscaler_iam_role_name
    	File: /deprecated/aws/kops-aws-platform/autoscaler-role.tf:39-45
    
    		39 | resource "aws_ssm_parameter" "kops_autoscaler_iam_role_name" {
    		40 |   name        = format(local.chamber_parameter_format, var.chamber_service, "kubernetes_autoscaler_iam_role_name")
    		41 |   value       = module.autoscaler_role.name
    		42 |   description = "IAM role name for cluster autoscaler"
    		43 |   type        = "String"
    		44 |   overwrite   = "true"
    		45 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_cluster_name
    	File: /deprecated/aws/kops/main.tf:138-144
    
    		138 | resource "aws_ssm_parameter" "kops_cluster_name" {
    		139 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_cluster_name")
    		140 |   value       = module.kops_state_backend.zone_name
    		141 |   description = "Kops cluster name"
    		142 |   type        = "String"
    		143 |   overwrite   = "true"
    		144 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_state_store
    	File: /deprecated/aws/kops/main.tf:146-152
    
    		146 | resource "aws_ssm_parameter" "kops_state_store" {
    		147 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_state_store")
    		148 |   value       = "s3://${module.kops_state_backend.bucket_name}"
    		149 |   description = "Kops state store S3 bucket name"
    		150 |   type        = "String"
    		151 |   overwrite   = "true"
    		152 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_state_store_region
    	File: /deprecated/aws/kops/main.tf:154-160
    
    		154 | resource "aws_ssm_parameter" "kops_state_store_region" {
    		155 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_state_store_region")
    		156 |   value       = module.kops_state_backend.bucket_region
    		157 |   description = "Kops state store (S3 bucket) region"
    		158 |   type        = "String"
    		159 |   overwrite   = "true"
    		160 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_dns_zone
    	File: /deprecated/aws/kops/main.tf:162-168
    
    		162 | resource "aws_ssm_parameter" "kops_dns_zone" {
    		163 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_dns_zone")
    		164 |   value       = module.kops_state_backend.zone_name
    		165 |   description = "Kops DNS zone name"
    		166 |   type        = "String"
    		167 |   overwrite   = "true"
    		168 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_dns_zone_id
    	File: /deprecated/aws/kops/main.tf:170-176
    
    		170 | resource "aws_ssm_parameter" "kops_dns_zone_id" {
    		171 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_dns_zone_id")
    		172 |   value       = module.kops_state_backend.zone_id
    		173 |   description = "Kops DNS zone ID"
    		174 |   type        = "String"
    		175 |   overwrite   = "true"
    		176 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_network_cidr
    	File: /deprecated/aws/kops/main.tf:178-184
    
    		178 | resource "aws_ssm_parameter" "kops_network_cidr" {
    		179 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_network_cidr")
    		180 |   value       = local.vpc_network_cidr
    		181 |   description = "CIDR block of the kops virtual network"
    		182 |   type        = "String"
    		183 |   overwrite   = "true"
    		184 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_shared_vpc_id[0]
    	File: /deprecated/aws/kops/main.tf:187-194
    
    		187 | resource "aws_ssm_parameter" "kops_shared_vpc_id" {
    		188 |   count       = var.create_vpc == "true" ? 0 : 1
    		189 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_vpc_id")
    		190 |   value       = join("", data.aws_ssm_parameter.vpc_id.*.value)
    		191 |   description = "Kops (shared) VPC AWS ID"
    		192 |   type        = "String"
    		193 |   overwrite   = "true"
    		194 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_shared_nat_gateways[0]
    	File: /deprecated/aws/kops/main.tf:197-204
    
    		197 | resource "aws_ssm_parameter" "kops_shared_nat_gateways" {
    		198 |   count       = var.create_vpc == "true" ? 0 : 1
    		199 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_nat_gateways")
    		200 |   value       = var.use_shared_nat_gateways == "true" ? join("", data.aws_ssm_parameter.nat_gateways.*.value) : replace(local.private_subnet_cidrs, "/[^,]+/", "External")
    		201 |   description = "Kops (shared) private subnet NAT gateway AWS IDs"
    		202 |   type        = "String"
    		203 |   overwrite   = "true"
    		204 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_shared_private_subnet_ids[0]
    	File: /deprecated/aws/kops/main.tf:207-214
    
    		207 | resource "aws_ssm_parameter" "kops_shared_private_subnet_ids" {
    		208 |   count       = var.create_vpc == "true" ? 0 : 1
    		209 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_private_subnet_ids")
    		210 |   value       = join("", data.aws_ssm_parameter.private_subnet_ids.*.value)
    		211 |   description = "Kops private subnet AWS IDs"
    		212 |   type        = "String"
    		213 |   overwrite   = "true"
    		214 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_shared_utility_subnet_ids[0]
    	File: /deprecated/aws/kops/main.tf:217-224
    
    		217 | resource "aws_ssm_parameter" "kops_shared_utility_subnet_ids" {
    		218 |   count       = var.create_vpc == "true" ? 0 : 1
    		219 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_utility_subnet_ids")
    		220 |   value       = join("", data.aws_ssm_parameter.public_subnet_ids.*.value)
    		221 |   description = "Kops utility subnet AWS IDs"
    		222 |   type        = "String"
    		223 |   overwrite   = "true"
    		224 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_private_subnets
    	File: /deprecated/aws/kops/main.tf:226-232
    
    		226 | resource "aws_ssm_parameter" "kops_private_subnets" {
    		227 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_private_subnets")
    		228 |   value       = local.private_subnet_cidrs
    		229 |   description = "Kops private subnet CIDRs"
    		230 |   type        = "String"
    		231 |   overwrite   = "true"
    		232 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_utility_subnets
    	File: /deprecated/aws/kops/main.tf:234-240
    
    		234 | resource "aws_ssm_parameter" "kops_utility_subnets" {
    		235 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_utility_subnets")
    		236 |   value       = local.utility_subnet_cidrs
    		237 |   description = "Kops utility subnet CIDRs"
    		238 |   type        = "String"
    		239 |   overwrite   = "true"
    		240 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_non_masquerade_cidr
    	File: /deprecated/aws/kops/main.tf:242-248
    
    		242 | resource "aws_ssm_parameter" "kops_non_masquerade_cidr" {
    		243 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_non_masquerade_cidr")
    		244 |   value       = var.kops_non_masquerade_cidr
    		245 |   description = "The CIDR range for Pod IPs"
    		246 |   type        = "String"
    		247 |   overwrite   = "true"
    		248 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.kops_availability_zones
    	File: /deprecated/aws/kops/main.tf:250-256
    
    		250 | resource "aws_ssm_parameter" "kops_availability_zones" {
    		251 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_availability_zones")
    		252 |   value       = join(",", local.availability_zones)
    		253 |   description = "Kops availability zones in which cluster will be provisioned"
    		254 |   type        = "String"
    		255 |   overwrite   = "true"
    		256 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_database_name[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:130-137
    
    		130 | resource "aws_ssm_parameter" "aurora_postgres_database_name" {
    		131 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		132 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_database")
    		133 |   value       = module.aurora_postgres.database_name
    		134 |   description = "Aurora Postgres Database Name for Sentry"
    		135 |   type        = "String"
    		136 |   overwrite   = true
    		137 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_username[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:139-146
    
    		139 | resource "aws_ssm_parameter" "aurora_postgres_master_username" {
    		140 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		141 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_user")
    		142 |   value       = module.aurora_postgres.master_username
    		143 |   description = "Aurora Postgres Username for Sentry's master DB user"
    		144 |   type        = "String"
    		145 |   overwrite   = true
    		146 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_password[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:148-155
    
    		148 | resource "aws_ssm_parameter" "aurora_postgres_master_password" {
    		149 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		150 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_password")
    		151 |   value       = local.postgres_admin_password
    		152 |   description = "Aurora Postgres Password for Sentry's master DB user"
    		153 |   type        = "String"
    		154 |   overwrite   = true
    		155 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_hostname[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:157-164
    
    		157 | resource "aws_ssm_parameter" "aurora_postgres_master_hostname" {
    		158 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		159 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_host")
    		160 |   value       = module.aurora_postgres.master_host
    		161 |   description = "Aurora Postgres DB Master hostname"
    		162 |   type        = "String"
    		163 |   overwrite   = true
    		164 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_replicas_hostname[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:166-173
    
    		166 | resource "aws_ssm_parameter" "aurora_postgres_replicas_hostname" {
    		167 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		168 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_replicas_hostname")
    		169 |   value       = module.aurora_postgres.replicas_host
    		170 |   description = "Aurora Postgres DB Replicas hostname"
    		171 |   type        = "String"
    		172 |   overwrite   = true
    		173 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_cluster_name[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:175-182
    
    		175 | resource "aws_ssm_parameter" "aurora_postgres_cluster_name" {
    		176 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		177 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_cluster_name")
    		178 |   value       = module.aurora_postgres.cluster_identifier
    		179 |   description = "Aurora Postgres DB Cluster Identifier"
    		180 |   type        = "String"
    		181 |   overwrite   = true
    		182 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.elasticache_redis_host[0]
    	File: /deprecated/aws/sentry/elasticache-redis.tf:63-70
    
    		63 | resource "aws_ssm_parameter" "elasticache_redis_host" {
    		64 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		65 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_redis_host")
    		66 |   value       = module.elasticache_redis.host
    		67 |   description = "Elasticache host for Sentry"
    		68 |   type        = "String"
    		69 |   overwrite   = true
    		70 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.sentry_secret
    	File: /deprecated/aws/sentry/main.tf:42-48
    
    		42 | resource "aws_ssm_parameter" "sentry_secret" {
    		43 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_secret")
    		44 |   value       = random_string.sentry_secret_key.result
    		45 |   description = "Secret Key for Sentry to encrypt sessions"
    		46 |   type        = "String"
    		47 |   overwrite   = true
    		48 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.sentry_admin_user_password
    	File: /deprecated/aws/sentry/main.tf:50-56
    
    		50 | resource "aws_ssm_parameter" "sentry_admin_user_password" {
    		51 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_admin_user_password")
    		52 |   value       = random_string.sentry_admin_user_password.result
    		53 |   description = "Password for Sentry admin user"
    		54 |   type        = "String"
    		55 |   overwrite   = true
    		56 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_audit_sessions_uri
    	File: /deprecated/aws/teleport/main.tf:144-150
    
    		144 | resource "aws_ssm_parameter" "teleport_audit_sessions_uri" {
    		145 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_audit_sessions_uri")
    		146 |   value       = "s3://${module.teleport_backend.s3_bucket_id}"
    		147 |   description = "Teleport session logs storage URI"
    		148 |   type        = "String"
    		149 |   overwrite   = "true"
    		150 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_audit_events_uri
    	File: /deprecated/aws/teleport/main.tf:152-158
    
    		152 | resource "aws_ssm_parameter" "teleport_audit_events_uri" {
    		153 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_audit_events_uri")
    		154 |   value       = "dynamodb://${module.teleport_backend.dynamodb_audit_table_id}"
    		155 |   description = "Teleport audite events storage URI"
    		156 |   type        = "String"
    		157 |   overwrite   = "true"
    		158 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_cluster_state_dynamodb_table
    	File: /deprecated/aws/teleport/main.tf:160-166
    
    		160 | resource "aws_ssm_parameter" "teleport_cluster_state_dynamodb_table" {
    		161 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_cluster_state_dynamodb_table")
    		162 |   value       = module.teleport_backend.dynamodb_state_table_id
    		163 |   description = "Teleport cluster state storage dynamodb table"
    		164 |   type        = "String"
    		165 |   overwrite   = "true"
    		166 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_auth_iam_role
    	File: /deprecated/aws/teleport/main.tf:168-174
    
    		168 | resource "aws_ssm_parameter" "teleport_auth_iam_role" {
    		169 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_auth_iam_role")
    		170 |   value       = aws_iam_role.teleport.name
    		171 |   description = "Teleport auth IAM role"
    		172 |   type        = "String"
    		173 |   overwrite   = "true"
    		174 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_kubernetes_namespace
    	File: /deprecated/aws/teleport/main.tf:176-182
    
    		176 | resource "aws_ssm_parameter" "teleport_kubernetes_namespace" {
    		177 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_kubernetes_namespace")
    		178 |   value       = var.kubernetes_namespace
    		179 |   description = "Teleport auth IAM role"
    		180 |   type        = "String"
    		181 |   overwrite   = "true"
    		182 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_tokens[0]
    	File: /deprecated/aws/teleport/main.tf:198-205
    
    		198 | resource "aws_ssm_parameter" "teleport_tokens" {
    		199 |   count       = length(local.token_names)
    		200 |   name        = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
    		201 |   value       = element(random_string.tokens.*.result, count.index)
    		202 |   description = "Teleport join token: ${element(local.token_names, count.index)}"
    		203 |   type        = "String"
    		204 |   overwrite   = "true"
    		205 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_proxy_domain_name
    	File: /deprecated/aws/teleport/main.tf:207-213
    
    		207 | resource "aws_ssm_parameter" "teleport_proxy_domain_name" {
    		208 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_proxy_domain_name")
    		209 |   value       = var.teleport_proxy_domain_name
    		210 |   description = "Teleport Proxy domain name"
    		211 |   type        = "String"
    		212 |   overwrite   = "true"
    		213 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_version
    	File: /deprecated/aws/teleport/main.tf:215-221
    
    		215 | resource "aws_ssm_parameter" "teleport_version" {
    		216 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_version")
    		217 |   value       = var.teleport_version
    		218 |   description = "Teleport version to install"
    		219 |   type        = "String"
    		220 |   overwrite   = "true"
    		221 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_tokens[1]
    	File: /deprecated/aws/teleport/main.tf:198-205
    
    		198 | resource "aws_ssm_parameter" "teleport_tokens" {
    		199 |   count       = length(local.token_names)
    		200 |   name        = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
    		201 |   value       = element(random_string.tokens.*.result, count.index)
    		202 |   description = "Teleport join token: ${element(local.token_names, count.index)}"
    		203 |   type        = "String"
    		204 |   overwrite   = "true"
    		205 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.teleport_tokens[2]
    	File: /deprecated/aws/teleport/main.tf:198-205
    
    		198 | resource "aws_ssm_parameter" "teleport_tokens" {
    		199 |   count       = length(local.token_names)
    		200 |   name        = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
    		201 |   value       = element(random_string.tokens.*.result, count.index)
    		202 |   description = "Teleport join token: ${element(local.token_names, count.index)}"
    		203 |   type        = "String"
    		204 |   overwrite   = "true"
    		205 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.vpc_id
    	File: /deprecated/aws/vpc/main.tf:62-68
    
    		62 | resource "aws_ssm_parameter" "vpc_id" {
    		63 |   description = "VPC ID of backing services"
    		64 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "vpc_id")
    		65 |   value       = module.vpc.vpc_id
    		66 |   type        = "String"
    		67 |   overwrite   = "true"
    		68 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.igw_id
    	File: /deprecated/aws/vpc/main.tf:70-76
    
    		70 | resource "aws_ssm_parameter" "igw_id" {
    		71 |   description = "VPC ID of backing services"
    		72 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "igw_id")
    		73 |   value       = module.vpc.igw_id
    		74 |   type        = "String"
    		75 |   overwrite   = "true"
    		76 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.cidr_block
    	File: /deprecated/aws/vpc/main.tf:78-84
    
    		78 | resource "aws_ssm_parameter" "cidr_block" {
    		79 |   description = "VPC ID of backing services"
    		80 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "cidr_block")
    		81 |   value       = module.vpc.vpc_cidr_block
    		82 |   type        = "String"
    		83 |   overwrite   = "true"
    		84 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.availability_zones
    	File: /deprecated/aws/vpc/main.tf:86-92
    
    		86 | resource "aws_ssm_parameter" "availability_zones" {
    		87 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "availability_zones")
    		88 |   value       = join(",", local.availability_zones)
    		89 |   description = "VPC subnet availability zones"
    		90 |   type        = "String"
    		91 |   overwrite   = "true"
    		92 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.private_subnet_cidrs
    	File: /deprecated/aws/vpc/main.tf:112-118
    
    		112 | resource "aws_ssm_parameter" "private_subnet_cidrs" {
    		113 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "private_subnet_cidrs")
    		114 |   value       = join(",", module.subnets.private_subnet_cidrs)
    		115 |   description = "VPC private subnet CIDRs"
    		116 |   type        = "String"
    		117 |   overwrite   = "true"
    		118 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.private_subnet_ids
    	File: /deprecated/aws/vpc/main.tf:120-126
    
    		120 | resource "aws_ssm_parameter" "private_subnet_ids" {
    		121 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "private_subnet_ids")
    		122 |   value       = join(",", module.subnets.private_subnet_ids)
    		123 |   description = "VPC private subnet AWS IDs"
    		124 |   type        = "String"
    		125 |   overwrite   = "true"
    		126 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.public_subnet_cidrs
    	File: /deprecated/aws/vpc/main.tf:128-134
    
    		128 | resource "aws_ssm_parameter" "public_subnet_cidrs" {
    		129 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "public_subnet_cidrs")
    		130 |   value       = join(",", module.subnets.public_subnet_cidrs)
    		131 |   description = "VPC public subnet CIDRs"
    		132 |   type        = "String"
    		133 |   overwrite   = "true"
    		134 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.public_subnet_ids
    	File: /deprecated/aws/vpc/main.tf:136-142
    
    		136 | resource "aws_ssm_parameter" "public_subnet_ids" {
    		137 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "public_subnet_ids")
    		138 |   value       = join(",", module.subnets.public_subnet_ids)
    		139 |   description = "VPC public subnet AWS IDs"
    		140 |   type        = "String"
    		141 |   overwrite   = "true"
    		142 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.autoscaler
    	File: /deprecated/eks-iam/autoscaler.tf:15-32
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		15 | data "aws_iam_policy_document" "autoscaler" {
    		16 |   statement {
    		17 |     sid = "AllowToScaleEKSNodeGroupAutoScalingGroup"
    		18 | 
    		19 |     actions = [
    		20 |       "ec2:DescribeLaunchTemplateVersions",
    		21 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
    		22 |       "autoscaling:SetDesiredCapacity",
    		23 |       "autoscaling:DescribeTags",
    		24 |       "autoscaling:DescribeLaunchConfigurations",
    		25 |       "autoscaling:DescribeAutoScalingInstances",
    		26 |       "autoscaling:DescribeAutoScalingGroups"
    		27 |     ]
    		28 | 
    		29 |     effect    = "Allow"
    		30 |     resources = ["*"]
    		31 |   }
    		32 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.autoscaler
    	File: /deprecated/eks-iam/autoscaler.tf:15-32
    
    		15 | data "aws_iam_policy_document" "autoscaler" {
    		16 |   statement {
    		17 |     sid = "AllowToScaleEKSNodeGroupAutoScalingGroup"
    		18 | 
    		19 |     actions = [
    		20 |       "ec2:DescribeLaunchTemplateVersions",
    		21 |       "autoscaling:TerminateInstanceInAutoScalingGroup",
    		22 |       "autoscaling:SetDesiredCapacity",
    		23 |       "autoscaling:DescribeTags",
    		24 |       "autoscaling:DescribeLaunchConfigurations",
    		25 |       "autoscaling:DescribeAutoScalingInstances",
    		26 |       "autoscaling:DescribeAutoScalingGroups"
    		27 |     ]
    		28 | 
    		29 |     effect    = "Allow"
    		30 |     resources = ["*"]
    		31 |   }
    		32 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.external_dns
    	File: /deprecated/eks-iam/external-dns.tf:15-39
    
    		15 | data "aws_iam_policy_document" "external_dns" {
    		16 |   statement {
    		17 |     sid = "GrantChangeResourceRecordSets"
    		18 | 
    		19 |     actions = [
    		20 |       "route53:ChangeResourceRecordSets"
    		21 |     ]
    		22 | 
    		23 |     effect    = "Allow"
    		24 |     resources = formatlist("arn:aws:route53:::hostedzone/%s", local.zone_ids)
    		25 |   }
    		26 | 
    		27 |   statement {
    		28 |     sid = "GrantListHostedZonesListResourceRecordSets"
    		29 | 
    		30 |     actions = [
    		31 |       "route53:ListHostedZones",
    		32 |       "route53:ListHostedZonesByName",
    		33 |       "route53:ListResourceRecordSets"
    		34 |     ]
    		35 | 
    		36 |     effect    = "Allow"
    		37 |     resources = ["*"]
    		38 |   }
    		39 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.support_access_trusted_advisor
    	File: /deprecated/iam-delegated-roles/policy-support.tf:16-30
    
    		16 | data "aws_iam_policy_document" "support_access_trusted_advisor" {
    		17 |   count = local.support_policy_enabled ? 1 : 0
    		18 | 
    		19 |   statement {
    		20 |     sid    = "AllowTrustedAdvisor"
    		21 |     effect = "Allow"
    		22 |     actions = [
    		23 |       "trustedadvisor:Describe*",
    		24 |     ]
    		25 | 
    		26 |     resources = [
    		27 |       "*",
    		28 |     ]
    		29 |   }
    		30 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.support_access_trusted_advisor
    	File: /deprecated/iam-primary-roles/policy-support.tf:16-30
    
    		16 | data "aws_iam_policy_document" "support_access_trusted_advisor" {
    		17 |   count = local.support_policy_enabled ? 1 : 0
    		18 | 
    		19 |   statement {
    		20 |     sid    = "AllowTrustedAdvisor"
    		21 |     effect = "Allow"
    		22 |     actions = [
    		23 |       "trustedadvisor:Describe*",
    		24 |     ]
    		25 | 
    		26 |     resources = [
    		27 |       "*",
    		28 |     ]
    		29 |   }
    		30 | }
    
    Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
    	FAILED for resource: module.okta_api_user.aws_iam_user.default
    	File: /deprecated/sso/modules/okta-user/main.tf:1-5
    	Calling File: /deprecated/sso/main.tf:11-18
    
    		1 | resource "aws_iam_user" "default" {
    		2 |   name          = module.this.id
    		3 |   tags          = module.this.tags
    		4 |   force_destroy = true
    		5 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.acm_arn
    	File: /modules/acm/main.tf:38-48
    
    		38 | resource "aws_ssm_parameter" "acm_arn" {
    		39 |   count = local.enabled ? 1 : 0
    		40 | 
    		41 |   name        = "/acm/${local.domain_name}"
    		42 |   value       = module.acm.arn
    		43 |   description = format("ACM certificate ARN for '%s' domain", local.domain_name)
    		44 |   type        = "String"
    		45 |   overwrite   = true
    		46 | 
    		47 |   tags = module.this.tags
    		48 | }
    
    Check: CKV_AWS_206: "Ensure API Gateway Domain uses a modern security Policy"
    	FAILED for resource: aws_api_gateway_domain_name.this
    	File: /modules/api-gateway-rest-api/main.tf:41-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-api-gateway-domain-uses-a-modern-security-policy.html
    
    		41 | resource "aws_api_gateway_domain_name" "this" {
    		42 |   count                    = local.enabled ? 1 : 0
    		43 |   domain_name              = local.domain_name
    		44 |   regional_certificate_arn = data.aws_acm_certificate.issued[0].arn
    		45 | 
    		46 |   endpoint_configuration {
    		47 |     types = ["REGIONAL"]
    		48 |   }
    		49 | 
    		50 |   tags = module.this.tags
    		51 | }
    
    Check: CKV_GIT_3: "Ensure GitHub repository has vulnerability alerts enabled"
    	FAILED for resource: github_repository.default[0]
    	File: /modules/argocd-repo/main.tf:45-53
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/build-integrity-policies/github-policies/ensure-github-repository-has-vulnerability-alerts-enabled.html
    
    		45 | resource "github_repository" "default" {
    		46 |   count = local.enabled && var.create_repo ? 1 : 0
    		47 | 
    		48 |   name        = module.this.name
    		49 |   description = var.description
    		50 |   auto_init   = true # will create a 'main' branch
    		51 | 
    		52 |   visibility = "private"
    		53 | }
    
    Check: CKV_GIT_5: "GitHub pull requests should require at least 2 approvals"
    	FAILED for resource: github_branch_protection.default
    	File: /modules/argocd-repo/main.tf:68-88
    	Guide: https://docs.bridgecrew.io/docs/merge-requests-should-require-at-least-2-approvals
    
    		68 | resource "github_branch_protection" "default" {
    		69 |   # This resource enforces PRs needing to be opened in order for changes to be made, except for automated commits to
    		70 |   # the main branch. Those commits made by the automation user, which is an admin.
    		71 |   count = local.enabled ? 1 : 0
    		72 | 
    		73 |   repository_id = local.github_repository.name
    		74 | 
    		75 |   pattern          = join("", github_branch_default.default.*.branch)
    		76 |   enforce_admins   = false # needs to be false in order to allow automation user to push
    		77 |   allows_deletions = true
    		78 | 
    		79 |   required_pull_request_reviews {
    		80 |     dismiss_stale_reviews      = true
    		81 |     restrict_dismissals        = true
    		82 |     require_code_owner_reviews = true
    		83 |   }
    		84 | 
    		85 |   push_restrictions = [
    		86 |     join("", data.github_user.automation_user.*.node_id),
    		87 |   ]
    		88 | }
    
    Check: CKV_GIT_6: "Ensure GitHub branch protection rules requires signed commits"
    	FAILED for resource: github_branch_protection.default
    	File: /modules/argocd-repo/main.tf:68-88
    	Guide: https://docs.bridgecrew.io/docs/ensure-github-branch-protection-rules-requires-signed-commits
    
    		68 | resource "github_branch_protection" "default" {
    		69 |   # This resource enforces PRs needing to be opened in order for changes to be made, except for automated commits to
    		70 |   # the main branch. Those commits made by the automation user, which is an admin.
    		71 |   count = local.enabled ? 1 : 0
    		72 | 
    		73 |   repository_id = local.github_repository.name
    		74 | 
    		75 |   pattern          = join("", github_branch_default.default.*.branch)
    		76 |   enforce_admins   = false # needs to be false in order to allow automation user to push
    		77 |   allows_deletions = true
    		78 | 
    		79 |   required_pull_request_reviews {
    		80 |     dismiss_stale_reviews      = true
    		81 |     restrict_dismissals        = true
    		82 |     require_code_owner_reviews = true
    		83 |   }
    		84 | 
    		85 |   push_restrictions = [
    		86 |     join("", data.github_user.automation_user.*.node_id),
    		87 |   ]
    		88 | }
    
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/aurora-mysql/kms.tf:23-76
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/aurora-mysql/kms.tf:23-76
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/aurora-mysql/kms.tf:23-76
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/aurora-postgres/kms.tf:23-75
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/aurora-postgres/kms.tf:23-75
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/aurora-postgres/kms.tf:23-75
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_273: "Ensure access is controlled through SSO and not AWS IAM defined users"
    	FAILED for resource: module.okta_api_user.aws_iam_user.default
    	File: /modules/aws-saml/modules/okta-user/main.tf:5-11
    	Calling File: /modules/aws-saml/main.tf:12-19
    
    		5  | resource "aws_iam_user" "default" {
    		6  |   count = local.enabled ? 1 : 0
    		7  | 
    		8  |   name          = module.this.id
    		9  |   tags          = module.this.tags
    		10 |   force_destroy = true
    		11 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.dns_administrator_access
    	File: /modules/aws-sso/policy-DNSAdministratorAccess.tf:1-26
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		1  | data "aws_iam_policy_document" "dns_administrator_access" {
    		2  |   statement {
    		3  |     sid    = "AllowDNS"
    		4  |     effect = "Allow"
    		5  |     actions = [
    		6  |       "route53:ChangeResourceRecordSets",
    		7  |       "route53:CreateHealthCheck",
    		8  |       "route53:CreateTrafficPolicy",
    		9  |       "route53:CreateTrafficPolicyInstance",
    		10 |       "route53:CreateTrafficPolicyVersion",
    		11 |       "route53:DeleteHealthCheck",
    		12 |       "route53:DeleteTrafficPolicy",
    		13 |       "route53:DeleteTrafficPolicyInstance",
    		14 |       "route53:Get*",
    		15 |       "route53:List*",
    		16 |       "route53:UpdateHealthCheck",
    		17 |       "route53:UpdateTrafficPolicyComment",
    		18 |       "route53:UpdateTrafficPolicyInstance",
    		19 |       "route53domains:List*",
    		20 |     ]
    		21 | 
    		22 |     resources = [
    		23 |       "*",
    		24 |     ]
    		25 |   }
    		26 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.dns_administrator_access
    	File: /modules/aws-sso/policy-DNSAdministratorAccess.tf:1-26
    
    		1  | data "aws_iam_policy_document" "dns_administrator_access" {
    		2  |   statement {
    		3  |     sid    = "AllowDNS"
    		4  |     effect = "Allow"
    		5  |     actions = [
    		6  |       "route53:ChangeResourceRecordSets",
    		7  |       "route53:CreateHealthCheck",
    		8  |       "route53:CreateTrafficPolicy",
    		9  |       "route53:CreateTrafficPolicyInstance",
    		10 |       "route53:CreateTrafficPolicyVersion",
    		11 |       "route53:DeleteHealthCheck",
    		12 |       "route53:DeleteTrafficPolicy",
    		13 |       "route53:DeleteTrafficPolicyInstance",
    		14 |       "route53:Get*",
    		15 |       "route53:List*",
    		16 |       "route53:UpdateHealthCheck",
    		17 |       "route53:UpdateTrafficPolicyComment",
    		18 |       "route53:UpdateTrafficPolicyInstance",
    		19 |       "route53domains:List*",
    		20 |     ]
    		21 | 
    		22 |     resources = [
    		23 |       "*",
    		24 |     ]
    		25 |   }
    		26 | }
    
    Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
    	FAILED for resource: aws_iam_policy_document.assume_aws_team
    	File: /modules/aws-sso/policy-Identity-role-TeamAccess.tf:6-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure.html
    
    		6  | data "aws_iam_policy_document" "assume_aws_team" {
    		7  |   for_each = local.enabled ? var.aws_teams_accessible : []
    		8  | 
    		9  |   statement {
    		10 |     sid = "RoleAssumeRole"
    		11 | 
    		12 |     effect = "Allow"
    		13 |     actions = [
    		14 |       "sts:AssumeRole",
    		15 |       "sts:SetSourceIdentity",
    		16 |       "sts:TagSession",
    		17 |     ]
    		18 | 
    		19 |     resources = ["*"]
    		20 | 
    		21 |     /* For future reference, this tag-based restriction also works, based on
    		22 |        the fact that we always tag our IAM roles with the "Name" tag.
    		23 |        This could be used to control access based on some other tag, like "Category",
    		24 |        so is left here as an example.
    		25 | 
    		26 |     condition {
    		27 |       test     = "ForAllValues:StringEquals"
    		28 |       variable = "iam:ResourceTag/Name"  # "Name" is the Tag Key
    		29 |       values   = [format("%s-%s", module.role_prefix.id, each.value)]
    		30 |     }
    		31 |     resources = [
    		32 |       # This allows/restricts access to only IAM roles, not users or SSO roles
    		33 |       format("arn:aws:iam::%s:role/*", local.identity_account)
    		34 |     ]
    		35 | 
    		36 |     */
    		37 | 
    		38 |   }
    		39 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.assume_aws_team
    	File: /modules/aws-sso/policy-Identity-role-TeamAccess.tf:6-39
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		6  | data "aws_iam_policy_document" "assume_aws_team" {
    		7  |   for_each = local.enabled ? var.aws_teams_accessible : []
    		8  | 
    		9  |   statement {
    		10 |     sid = "RoleAssumeRole"
    		11 | 
    		12 |     effect = "Allow"
    		13 |     actions = [
    		14 |       "sts:AssumeRole",
    		15 |       "sts:SetSourceIdentity",
    		16 |       "sts:TagSession",
    		17 |     ]
    		18 | 
    		19 |     resources = ["*"]
    		20 | 
    		21 |     /* For future reference, this tag-based restriction also works, based on
    		22 |        the fact that we always tag our IAM roles with the "Name" tag.
    		23 |        This could be used to control access based on some other tag, like "Category",
    		24 |        so is left here as an example.
    		25 | 
    		26 |     condition {
    		27 |       test     = "ForAllValues:StringEquals"
    		28 |       variable = "iam:ResourceTag/Name"  # "Name" is the Tag Key
    		29 |       values   = [format("%s-%s", module.role_prefix.id, each.value)]
    		30 |     }
    		31 |     resources = [
    		32 |       # This allows/restricts access to only IAM roles, not users or SSO roles
    		33 |       format("arn:aws:iam::%s:role/*", local.identity_account)
    		34 |     ]
    		35 | 
    		36 |     */
    		37 | 
    		38 |   }
    		39 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.assume_aws_team
    	File: /modules/aws-sso/policy-Identity-role-TeamAccess.tf:6-39
    
    		6  | data "aws_iam_policy_document" "assume_aws_team" {
    		7  |   for_each = local.enabled ? var.aws_teams_accessible : []
    		8  | 
    		9  |   statement {
    		10 |     sid = "RoleAssumeRole"
    		11 | 
    		12 |     effect = "Allow"
    		13 |     actions = [
    		14 |       "sts:AssumeRole",
    		15 |       "sts:SetSourceIdentity",
    		16 |       "sts:TagSession",
    		17 |     ]
    		18 | 
    		19 |     resources = ["*"]
    		20 | 
    		21 |     /* For future reference, this tag-based restriction also works, based on
    		22 |        the fact that we always tag our IAM roles with the "Name" tag.
    		23 |        This could be used to control access based on some other tag, like "Category",
    		24 |        so is left here as an example.
    		25 | 
    		26 |     condition {
    		27 |       test     = "ForAllValues:StringEquals"
    		28 |       variable = "iam:ResourceTag/Name"  # "Name" is the Tag Key
    		29 |       values   = [format("%s-%s", module.role_prefix.id, each.value)]
    		30 |     }
    		31 |     resources = [
    		32 |       # This allows/restricts access to only IAM roles, not users or SSO roles
    		33 |       format("arn:aws:iam::%s:role/*", local.identity_account)
    		34 |     ]
    		35 | 
    		36 |     */
    		37 | 
    		38 |   }
    		39 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.eks_read_only
    	File: /modules/aws-sso/policy-ReadOnlyAccess.tf:17-31
    
    		17 | data "aws_iam_policy_document" "eks_read_only" {
    		18 |   statement {
    		19 |     sid    = "AllowEKSView"
    		20 |     effect = "Allow"
    		21 |     actions = [
    		22 |       "eks:Get*",
    		23 |       "eks:Describe*",
    		24 |       "eks:List*",
    		25 |       "eks:Access*"
    		26 |     ]
    		27 |     resources = [
    		28 |       "*"
    		29 |     ]
    		30 |   }
    		31 | }
    
    Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
    	FAILED for resource: aws_iam_policy_document.ssosync_lambda_identity_center
    	File: /modules/aws-ssosync/iam.tf:13-32
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
    
    		13 | data "aws_iam_policy_document" "ssosync_lambda_identity_center" {
    		14 |   statement {
    		15 |     effect = "Allow"
    		16 |     actions = [
    		17 |       "identitystore:DeleteUser",
    		18 |       "identitystore:CreateGroup",
    		19 |       "identitystore:CreateGroupMembership",
    		20 |       "identitystore:ListGroups",
    		21 |       "identitystore:ListUsers",
    		22 |       "identitystore:ListGroupMemberships",
    		23 |       "identitystore:IsMemberInGroups",
    		24 |       "identitystore:GetGroupMembershipId",
    		25 |       "identitystore:DeleteGroupMembership",
    		26 |       "identitystore:DeleteGroup",
    		27 |       "secretsmanager:GetSecretValue",
    		28 |       "kms:Decrypt"
    		29 |     ]
    		30 |     resources = ["*"]
    		31 |   }
    		32 | }
    
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.ssosync_lambda_identity_center
    	File: /modules/aws-ssosync/iam.tf:13-32
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		13 | data "aws_iam_policy_document" "ssosync_lambda_identity_center" {
    		14 |   statement {
    		15 |     effect = "Allow"
    		16 |     actions = [
    		17 |       "identitystore:DeleteUser",
    		18 |       "identitystore:CreateGroup",
    		19 |       "identitystore:CreateGroupMembership",
    		20 |       "identitystore:ListGroups",
    		21 |       "identitystore:ListUsers",
    		22 |       "identitystore:ListGroupMemberships",
    		23 |       "identitystore:IsMemberInGroups",
    		24 |       "identitystore:GetGroupMembershipId",
    		25 |       "identitystore:DeleteGroupMembership",
    		26 |       "identitystore:DeleteGroup",
    		27 |       "secretsmanager:GetSecretValue",
    		28 |       "kms:Decrypt"
    		29 |     ]
    		30 |     resources = ["*"]
    		31 |   }
    		32 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.ssosync_lambda_identity_center
    	File: /modules/aws-ssosync/iam.tf:13-32
    
    		13 | data "aws_iam_policy_document" "ssosync_lambda_identity_center" {
    		14 |   statement {
    		15 |     effect = "Allow"
    		16 |     actions = [
    		17 |       "identitystore:DeleteUser",
    		18 |       "identitystore:CreateGroup",
    		19 |       "identitystore:CreateGroupMembership",
    		20 |       "identitystore:ListGroups",
    		21 |       "identitystore:ListUsers",
    		22 |       "identitystore:ListGroupMemberships",
    		23 |       "identitystore:IsMemberInGroups",
    		24 |       "identitystore:GetGroupMembershipId",
    		25 |       "identitystore:DeleteGroupMembership",
    		26 |       "identitystore:DeleteGroup",
    		27 |       "secretsmanager:GetSecretValue",
    		28 |       "kms:Decrypt"
    		29 |     ]
    		30 |     resources = ["*"]
    		31 |   }
    		32 | }
    
    Check: CKV_AWS_50: "X-ray tracing is enabled for Lambda"
    	FAILED for resource: aws_lambda_function.ssosync
    	File: /modules/aws-ssosync/main.tf:67-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4.html
    
    		67  | resource "aws_lambda_function" "ssosync" {
    		68  |   count = local.enabled ? 1 : 0
    		69  | 
    		70  |   function_name    = module.this.id
    		71  |   filename         = "ssosync.zip"
    		72  |   source_code_hash = module.ssosync_artifact[0].base64sha256
    		73  |   description      = "Syncs Google Workspace users and groups to AWS SSO"
    		74  |   role             = aws_iam_role.default[0].arn
    		75  |   handler          = "ssosync"
    		76  |   runtime          = "go1.x"
    		77  |   timeout          = 300
    		78  |   memory_size      = 128
    		79  | 
    		80  |   environment {
    		81  |     variables = {
    		82  |       SSOSYNC_LOG_LEVEL          = var.log_level
    		83  |       SSOSYNC_LOG_FORMAT         = var.log_format
    		84  |       SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
    		85  |       SSOSYNC_GOOGLE_ADMIN       = var.google_admin_email
    		86  |       SSOSYNC_SCIM_ENDPOINT      = local.scim_endpoint_url
    		87  |       SSOSYNC_SCIM_ACCESS_TOKEN  = local.scim_endpoint_access_token
    		88  |       SSOSYNC_REGION             = var.region
    		89  |       SSOSYNC_IDENTITY_STORE_ID  = local.identity_store_id
    		90  |       SSOSYNC_USER_MATCH         = var.google_user_match
    		91  |       SSOSYNC_GROUP_MATCH        = var.google_group_match
    		92  |       SSOSYNC_SYNC_METHOD        = var.sync_method
    		93  |       SSOSYNC_IGNORE_GROUPS      = var.ignore_groups
    		94  |       SSOSYNC_IGNORE_USERS       = var.ignore_users
    		95  |       SSOSYNC_INCLUDE_GROUPS     = var.include_groups
    		96  |       SSOSYNC_LOAD_ASM_SECRETS   = false
    		97  |     }
    		98  |   }
    		99  |   depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
    		100 | }
    
    Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
    	FAILED for resource: aws_lambda_function.ssosync
    	File: /modules/aws-ssosync/main.tf:67-100
    
    		67  | resource "aws_lambda_function" "ssosync" {
    		68  |   count = local.enabled ? 1 : 0
    		69  | 
    		70  |   function_name    = module.this.id
    		71  |   filename         = "ssosync.zip"
    		72  |   source_code_hash = module.ssosync_artifact[0].base64sha256
    		73  |   description      = "Syncs Google Workspace users and groups to AWS SSO"
    		74  |   role             = aws_iam_role.default[0].arn
    		75  |   handler          = "ssosync"
    		76  |   runtime          = "go1.x"
    		77  |   timeout          = 300
    		78  |   memory_size      = 128
    		79  | 
    		80  |   environment {
    		81  |     variables = {
    		82  |       SSOSYNC_LOG_LEVEL          = var.log_level
    		83  |       SSOSYNC_LOG_FORMAT         = var.log_format
    		84  |       SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
    		85  |       SSOSYNC_GOOGLE_ADMIN       = var.google_admin_email
    		86  |       SSOSYNC_SCIM_ENDPOINT      = local.scim_endpoint_url
    		87  |       SSOSYNC_SCIM_ACCESS_TOKEN  = local.scim_endpoint_access_token
    		88  |       SSOSYNC_REGION             = var.region
    		89  |       SSOSYNC_IDENTITY_STORE_ID  = local.identity_store_id
    		90  |       SSOSYNC_USER_MATCH         = var.google_user_match
    		91  |       SSOSYNC_GROUP_MATCH        = var.google_group_match
    		92  |       SSOSYNC_SYNC_METHOD        = var.sync_method
    		93  |       SSOSYNC_IGNORE_GROUPS      = var.ignore_groups
    		94  |       SSOSYNC_IGNORE_USERS       = var.ignore_users
    		95  |       SSOSYNC_INCLUDE_GROUPS     = var.include_groups
    		96  |       SSOSYNC_LOAD_ASM_SECRETS   = false
    		97  |     }
    		98  |   }
    		99  |   depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
    		100 | }
    
    Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
    	FAILED for resource: aws_lambda_function.ssosync
    	File: /modules/aws-ssosync/main.tf:67-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5.html
    
    		67  | resource "aws_lambda_function" "ssosync" {
    		68  |   count = local.enabled ? 1 : 0
    		69  | 
    		70  |   function_name    = module.this.id
    		71  |   filename         = "ssosync.zip"
    		72  |   source_code_hash = module.ssosync_artifact[0].base64sha256
    		73  |   description      = "Syncs Google Workspace users and groups to AWS SSO"
    		74  |   role             = aws_iam_role.default[0].arn
    		75  |   handler          = "ssosync"
    		76  |   runtime          = "go1.x"
    		77  |   timeout          = 300
    		78  |   memory_size      = 128
    		79  | 
    		80  |   environment {
    		81  |     variables = {
    		82  |       SSOSYNC_LOG_LEVEL          = var.log_level
    		83  |       SSOSYNC_LOG_FORMAT         = var.log_format
    		84  |       SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
    		85  |       SSOSYNC_GOOGLE_ADMIN       = var.google_admin_email
    		86  |       SSOSYNC_SCIM_ENDPOINT      = local.scim_endpoint_url
    		87  |       SSOSYNC_SCIM_ACCESS_TOKEN  = local.scim_endpoint_access_token
    		88  |       SSOSYNC_REGION             = var.region
    		89  |       SSOSYNC_IDENTITY_STORE_ID  = local.identity_store_id
    		90  |       SSOSYNC_USER_MATCH         = var.google_user_match
    		91  |       SSOSYNC_GROUP_MATCH        = var.google_group_match
    		92  |       SSOSYNC_SYNC_METHOD        = var.sync_method
    		93  |       SSOSYNC_IGNORE_GROUPS      = var.ignore_groups
    		94  |       SSOSYNC_IGNORE_USERS       = var.ignore_users
    		95  |       SSOSYNC_INCLUDE_GROUPS     = var.include_groups
    		96  |       SSOSYNC_LOAD_ASM_SECRETS   = false
    		97  |     }
    		98  |   }
    		99  |   depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
    		100 | }
    
    Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
    	FAILED for resource: aws_lambda_function.ssosync
    	File: /modules/aws-ssosync/main.tf:67-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit.html
    
    		67  | resource "aws_lambda_function" "ssosync" {
    		68  |   count = local.enabled ? 1 : 0
    		69  | 
    		70  |   function_name    = module.this.id
    		71  |   filename         = "ssosync.zip"
    		72  |   source_code_hash = module.ssosync_artifact[0].base64sha256
    		73  |   description      = "Syncs Google Workspace users and groups to AWS SSO"
    		74  |   role             = aws_iam_role.default[0].arn
    		75  |   handler          = "ssosync"
    		76  |   runtime          = "go1.x"
    		77  |   timeout          = 300
    		78  |   memory_size      = 128
    		79  | 
    		80  |   environment {
    		81  |     variables = {
    		82  |       SSOSYNC_LOG_LEVEL          = var.log_level
    		83  |       SSOSYNC_LOG_FORMAT         = var.log_format
    		84  |       SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
    		85  |       SSOSYNC_GOOGLE_ADMIN       = var.google_admin_email
    		86  |       SSOSYNC_SCIM_ENDPOINT      = local.scim_endpoint_url
    		87  |       SSOSYNC_SCIM_ACCESS_TOKEN  = local.scim_endpoint_access_token
    		88  |       SSOSYNC_REGION             = var.region
    		89  |       SSOSYNC_IDENTITY_STORE_ID  = local.identity_store_id
    		90  |       SSOSYNC_USER_MATCH         = var.google_user_match
    		91  |       SSOSYNC_GROUP_MATCH        = var.google_group_match
    		92  |       SSOSYNC_SYNC_METHOD        = var.sync_method
    		93  |       SSOSYNC_IGNORE_GROUPS      = var.ignore_groups
    		94  |       SSOSYNC_IGNORE_USERS       = var.ignore_users
    		95  |       SSOSYNC_INCLUDE_GROUPS     = var.include_groups
    		96  |       SSOSYNC_LOAD_ASM_SECRETS   = false
    		97  |     }
    		98  |   }
    		99  |   depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
    		100 | }
    
    Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
    	FAILED for resource: aws_lambda_function.ssosync
    	File: /modules/aws-ssosync/main.tf:67-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq.html
    
    		67  | resource "aws_lambda_function" "ssosync" {
    		68  |   count = local.enabled ? 1 : 0
    		69  | 
    		70  |   function_name    = module.this.id
    		71  |   filename         = "ssosync.zip"
    		72  |   source_code_hash = module.ssosync_artifact[0].base64sha256
    		73  |   description      = "Syncs Google Workspace users and groups to AWS SSO"
    		74  |   role             = aws_iam_role.default[0].arn
    		75  |   handler          = "ssosync"
    		76  |   runtime          = "go1.x"
    		77  |   timeout          = 300
    		78  |   memory_size      = 128
    		79  | 
    		80  |   environment {
    		81  |     variables = {
    		82  |       SSOSYNC_LOG_LEVEL          = var.log_level
    		83  |       SSOSYNC_LOG_FORMAT         = var.log_format
    		84  |       SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
    		85  |       SSOSYNC_GOOGLE_ADMIN       = var.google_admin_email
    		86  |       SSOSYNC_SCIM_ENDPOINT      = local.scim_endpoint_url
    		87  |       SSOSYNC_SCIM_ACCESS_TOKEN  = local.scim_endpoint_access_token
    		88  |       SSOSYNC_REGION             = var.region
    		89  |       SSOSYNC_IDENTITY_STORE_ID  = local.identity_store_id
    		90  |       SSOSYNC_USER_MATCH         = var.google_user_match
    		91  |       SSOSYNC_GROUP_MATCH        = var.google_group_match
    		92  |       SSOSYNC_SYNC_METHOD        = var.sync_method
    		93  |       SSOSYNC_IGNORE_GROUPS      = var.ignore_groups
    		94  |       SSOSYNC_IGNORE_USERS       = var.ignore_users
    		95  |       SSOSYNC_INCLUDE_GROUPS     = var.include_groups
    		96  |       SSOSYNC_LOAD_ASM_SECRETS   = false
    		97  |     }
    		98  |   }
    		99  |   depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
    		100 | }
    
    Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
    	FAILED for resource: aws_lambda_function.ssosync
    	File: /modules/aws-ssosync/main.tf:67-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1.html
    
    		67  | resource "aws_lambda_function" "ssosync" {
    		68  |   count = local.enabled ? 1 : 0
    		69  | 
    		70  |   function_name    = module.this.id
    		71  |   filename         = "ssosync.zip"
    		72  |   source_code_hash = module.ssosync_artifact[0].base64sha256
    		73  |   description      = "Syncs Google Workspace users and groups to AWS SSO"
    		74  |   role             = aws_iam_role.default[0].arn
    		75  |   handler          = "ssosync"
    		76  |   runtime          = "go1.x"
    		77  |   timeout          = 300
    		78  |   memory_size      = 128
    		79  | 
    		80  |   environment {
    		81  |     variables = {
    		82  |       SSOSYNC_LOG_LEVEL          = var.log_level
    		83  |       SSOSYNC_LOG_FORMAT         = var.log_format
    		84  |       SSOSYNC_GOOGLE_CREDENTIALS = local.google_credentials
    		85  |       SSOSYNC_GOOGLE_ADMIN       = var.google_admin_email
    		86  |       SSOSYNC_SCIM_ENDPOINT      = local.scim_endpoint_url
    		87  |       SSOSYNC_SCIM_ACCESS_TOKEN  = local.scim_endpoint_access_token
    		88  |       SSOSYNC_REGION             = var.region
    		89  |       SSOSYNC_IDENTITY_STORE_ID  = local.identity_store_id
    		90  |       SSOSYNC_USER_MATCH         = var.google_user_match
    		91  |       SSOSYNC_GROUP_MATCH        = var.google_group_match
    		92  |       SSOSYNC_SYNC_METHOD        = var.sync_method
    		93  |       SSOSYNC_IGNORE_GROUPS      = var.ignore_groups
    		94  |       SSOSYNC_IGNORE_USERS       = var.ignore_users
    		95  |       SSOSYNC_INCLUDE_GROUPS     = var.include_groups
    		96  |       SSOSYNC_LOAD_ASM_SECRETS   = false
    		97  |     }
    		98  |   }
    		99  |   depends_on = [null_resource.extract_my_tgz, data.archive_file.lambda]
    		100 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.eks_view_access
    	File: /modules/aws-team-roles/policy-eks-viewer.tf:5-22
    
    		5  | data "aws_iam_policy_document" "eks_view_access" {
    		6  |   count = local.eks_viewer_enabled ? 1 : 0
    		7  | 
    		8  |   statement {
    		9  |     sid    = "AllowEKSView"
    		10 |     effect = "Allow"
    		11 |     actions = [
    		12 |       "eks:Get*",
    		13 |       "eks:Describe*",
    		14 |       "eks:List*",
    		15 |       "eks:Access*"
    		16 |     ]
    		17 |     resources = [
    		18 |       "*"
    		19 |     ]
    		20 |   }
    		21 | 
    		22 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.support_access_trusted_advisor
    	File: /modules/aws-team-roles/policy-support.tf:16-30
    
    		16 | data "aws_iam_policy_document" "support_access_trusted_advisor" {
    		17 |   count = local.support_policy_enabled ? 1 : 0
    		18 | 
    		19 |   statement {
    		20 |     sid    = "AllowTrustedAdvisor"
    		21 |     effect = "Allow"
    		22 |     actions = [
    		23 |       "trustedadvisor:Describe*",
    		24 |     ]
    		25 | 
    		26 |     resources = [
    		27 |       "*",
    		28 |     ]
    		29 |   }
    		30 | }
    
    Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
    	FAILED for resource: aws_iam_policy_document.main
    	File: /modules/bastion/iam.tf:42-120
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.main
    	File: /modules/bastion/iam.tf:42-120
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.main
    	File: /modules/bastion/iam.tf:42-120
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.cloudtrail_cloudwatch_logs
    	File: /modules/cloudtrail/cloudtrail-cloudwatch-logs.tf:15-37
    
    		15 | data "aws_iam_policy_document" "cloudtrail_cloudwatch_logs" {
    		16 |   count = local.enabled ? 1 : 0
    		17 | 
    		18 |   statement {
    		19 |     actions = [
    		20 |       "logs:DescribeLogGroups",
    		21 |       "logs:DescribeLogStreams"
    		22 |     ]
    		23 | 
    		24 |     resources = ["*"]
    		25 |   }
    		26 | 
    		27 |   statement {
    		28 |     actions = [
    		29 |       "logs:PutLogEvents",
    		30 |       "logs:CreateLogStream"
    		31 |     ]
    		32 | 
    		33 |     resources = [
    		34 |       "${join("", aws_cloudwatch_log_group.cloudtrail_cloudwatch_logs[*].arn)}:*"
    		35 |     ]
    		36 |   }
    		37 | }
    
    Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
    	FAILED for resource: aws_cloudwatch_log_group.cloudtrail_cloudwatch_logs
    	File: /modules/cloudtrail/cloudtrail-cloudwatch-logs.tf:62-67
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html
    
    		62 | resource "aws_cloudwatch_log_group" "cloudtrail_cloudwatch_logs" {
    		63 |   count             = local.enabled ? 1 : 0
    		64 |   name              = module.this.id
    		65 |   retention_in_days = var.cloudwatch_logs_retention_in_days
    		66 |   tags              = module.this.tags
    		67 | }
    
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_cloudtrail
    	File: /modules/cloudtrail/cloudtrail-kms-key.tf:26-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_cloudtrail
    	File: /modules/cloudtrail/cloudtrail-kms-key.tf:26-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms_key_cloudtrail
    	File: /modules/cloudtrail/cloudtrail-kms-key.tf:26-100
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: aws_iam_policy_document.kms
    	File: /modules/cloudwatch-logs/main.tf:39-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.kms
    	File: /modules/cloudwatch-logs/main.tf:39-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms
    	File: /modules/cloudwatch-logs/main.tf:39-100
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.acm_arn
    	File: /modules/dns-delegated/acm.tf:36-46
    
    		36 | resource "aws_ssm_parameter" "acm_arn" {
    		37 |   for_each = local.certificate_enabled ? local.zone_map : {}
    		38 | 
    		39 |   name        = format("/acm/%s.%s", each.key, each.value)
    		40 |   value       = module.acm[each.key].arn
    		41 |   description = "ACM certificate id"
    		42 |   type        = "String"
    		43 |   overwrite   = true
    		44 | 
    		45 |   tags = module.this.tags
    		46 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.master_username
    	File: /modules/documentdb/ssm.tf:1-7
    
    		1 | resource "aws_ssm_parameter" "master_username" {
    		2 |   count = local.enabled ? 1 : 0
    		3 | 
    		4 |   name  = "/${module.this.name}/master_username"
    		5 |   type  = "String"
    		6 |   value = var.master_username
    		7 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.master_password
    	File: /modules/documentdb/ssm.tf:26-32
    
    		26 | resource "aws_ssm_parameter" "master_password" {
    		27 |   count = local.enabled ? 1 : 0
    		28 | 
    		29 |   name  = "/${module.this.name}/master_password"
    		30 |   type  = "SecureString"
    		31 |   value = join("", random_password.master_password.*.result)
    		32 | }
    
    Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
    	FAILED for resource: aws_iam_policy_document.github_actions_iam_platform_policy
    	File: /modules/ecs-service/github-actions-iam-policy.tf:24-76
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.github_actions_iam_platform_policy
    	File: /modules/ecs-service/github-actions-iam-policy.tf:24-76
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_cidr
    	File: /modules/ecs/main.tf:37-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		37 | resource "aws_security_group_rule" "ingress_cidr" {
    		38 |   for_each          = local.enabled ? toset(var.allowed_cidr_blocks) : []
    		39 |   type              = "ingress"
    		40 |   from_port         = 0
    		41 |   to_port           = 65535
    		42 |   protocol          = "tcp"
    		43 |   cidr_blocks       = [each.value]
    		44 |   security_group_id = join("", aws_security_group.default.*.id)
    		45 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.ingress_security_groups
    	File: /modules/ecs/main.tf:47-55
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		47 | resource "aws_security_group_rule" "ingress_security_groups" {
    		48 |   for_each                 = local.enabled ? toset(var.allowed_security_groups) : []
    		49 |   type                     = "ingress"
    		50 |   from_port                = 0
    		51 |   to_port                  = 65535
    		52 |   protocol                 = "tcp"
    		53 |   source_security_group_id = each.value
    		54 |   security_group_id        = join("", aws_security_group.default.*.id)
    		55 | }
    
    Check: CKV_AWS_23: "Ensure every security groups rule has a description"
    	FAILED for resource: aws_security_group_rule.egress
    	File: /modules/ecs/main.tf:57-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/networking-31.html
    
    		57 | resource "aws_security_group_rule" "egress" {
    		58 |   count             = local.enabled ? 1 : 0
    		59 |   type              = "egress"
    		60 |   from_port         = 0
    		61 |   to_port           = 65535
    		62 |   protocol          = "tcp"
    		63 |   cidr_blocks       = ["0.0.0.0/0"]
    		64 |   security_group_id = join("", aws_security_group.default.*.id)
    		65 | }
    
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_efs
    	File: /modules/efs/main.tf:58-112
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_efs
    	File: /modules/efs/main.tf:58-112
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms_key_efs
    	File: /modules/efs/main.tf:58-112
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.vpc_cni_ipv6
    	File: /modules/eks/cluster/addons.tf:78-102
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		78  | data "aws_iam_policy_document" "vpc_cni_ipv6" {
    		79  |   count = local.vpc_cni_sa_needed ? 1 : 0
    		80  | 
    		81  |   # See https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
    		82  |   statement {
    		83  |     sid       = ""
    		84  |     effect    = "Allow"
    		85  |     resources = ["*"]
    		86  | 
    		87  |     actions = [
    		88  |       "ec2:AssignIpv6Addresses",
    		89  |       "ec2:DescribeInstances",
    		90  |       "ec2:DescribeTags",
    		91  |       "ec2:DescribeNetworkInterfaces",
    		92  |       "ec2:DescribeInstanceTypes"
    		93  |     ]
    		94  |   }
    		95  | 
    		96  |   statement {
    		97  |     sid       = ""
    		98  |     effect    = "Allow"
    		99  |     resources = ["arn:aws:ec2:*:*:network-interface/*"]
    		100 |     actions   = ["ec2:CreateTags"]
    		101 |   }
    		102 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.vpc_cni_ipv6
    	File: /modules/eks/cluster/addons.tf:78-102
    
    		78  | data "aws_iam_policy_document" "vpc_cni_ipv6" {
    		79  |   count = local.vpc_cni_sa_needed ? 1 : 0
    		80  | 
    		81  |   # See https://docs.aws.amazon.com/eks/latest/userguide/cni-iam-role.html#cni-iam-role-create-ipv6-policy
    		82  |   statement {
    		83  |     sid       = ""
    		84  |     effect    = "Allow"
    		85  |     resources = ["*"]
    		86  | 
    		87  |     actions = [
    		88  |       "ec2:AssignIpv6Addresses",
    		89  |       "ec2:DescribeInstances",
    		90  |       "ec2:DescribeTags",
    		91  |       "ec2:DescribeNetworkInterfaces",
    		92  |       "ec2:DescribeInstanceTypes"
    		93  |     ]
    		94  |   }
    		95  | 
    		96  |   statement {
    		97  |     sid       = ""
    		98  |     effect    = "Allow"
    		99  |     resources = ["arn:aws:ec2:*:*:network-interface/*"]
    		100 |     actions   = ["ec2:CreateTags"]
    		101 |   }
    		102 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.admin_password
    	File: /modules/elasticsearch/main.tf:74-81
    
    		74 | resource "aws_ssm_parameter" "admin_password" {
    		75 |   count       = local.enabled ? 1 : 0
    		76 |   name        = local.elasticsearch_admin_password
    		77 |   value       = local.elasticsearch_password
    		78 |   description = "Primary Aurora Postgres Password for the master DB user"
    		79 |   type        = "SecureString"
    		80 |   overwrite   = true
    		81 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.elasticsearch_domain_endpoint
    	File: /modules/elasticsearch/main.tf:84-91
    
    		84 | resource "aws_ssm_parameter" "elasticsearch_domain_endpoint" {
    		85 |   count       = local.enabled ? 1 : 0
    		86 |   name        = local.elasticsearch_domain_endpoint
    		87 |   value       = module.elasticsearch.domain_endpoint
    		88 |   description = "Domain-specific endpoint used to submit index, search, and data upload requests"
    		89 |   type        = "String"
    		90 |   overwrite   = true
    		91 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.elasticsearch_kibana_endpoint
    	File: /modules/elasticsearch/main.tf:93-100
    
    		93  | resource "aws_ssm_parameter" "elasticsearch_kibana_endpoint" {
    		94  |   count       = local.enabled ? 1 : 0
    		95  |   name        = local.elasticsearch_kibana_endpoint
    		96  |   value       = module.elasticsearch.kibana_endpoint
    		97  |   description = "Domain-specific endpoint for Kibana without https scheme"
    		98  |   type        = "String"
    		99  |   overwrite   = true
    		100 | }
    
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.github_action_runner
    	File: /modules/github-runners/iam.tf:23-84
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.github_actions_iam_policy
    	File: /modules/gitops/github-actions-iam-policy.tf:9-69
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/rds/kms.tf:15-67
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/rds/kms.tf:15-67
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint.html
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms_key_rds
    	File: /modules/rds/kms.tf:15-67
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
    	FAILED for resource: aws_iam_policy_document.kms_key_ses
    	File: /modules/ses/main.tf:82-140
    
    		Code lines for this resource are too many. Please use IDE of your choice to review the file.
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.destination
    	File: /modules/ssm-parameters/main.tf:28-40
    
    		28 | resource "aws_ssm_parameter" "destination" {
    		29 |   for_each = local.params
    		30 | 
    		31 |   name        = each.key
    		32 |   description = each.value.description
    		33 |   tier        = each.value.tier
    		34 |   type        = each.value.type
    		35 |   key_id      = var.kms_arn
    		36 |   value       = each.value.value
    		37 |   overwrite   = each.value.overwrite
    		38 | 
    		39 |   tags = module.this.tags
    		40 | }
    
    Check: CKV_AWS_337: "Ensure SSM parameters are using KMS CMK"
    	FAILED for resource: aws_ssm_parameter.acl_arn
    	File: /modules/waf/main.tf:56-65
    
    		56 | resource "aws_ssm_parameter" "acl_arn" {
    		57 |   count = local.enabled ? 1 : 0
    		58 | 
    		59 |   name        = "${var.ssm_path_prefix}/${var.acl_name}/arn"
    		60 |   value       = module.aws_waf.arn
    		61 |   description = "ARN for WAF web ACL ${var.acl_name}"
    		62 |   type        = "String"
    		63 |   overwrite   = true
    		64 |   tags        = module.this.tags
    		65 | }
    
    Check: CKV2_GIT_1: "Ensure each Repository has branch protection associated"
    	FAILED for resource: github_repository.default[0]
    	File: /modules/argocd-repo/main.tf:45-53
    
    		45 | resource "github_repository" "default" {
    		46 |   count = local.enabled && var.create_repo ? 1 : 0
    		47 | 
    		48 |   name        = module.this.name
    		49 |   description = var.description
    		50 |   auto_init   = true # will create a 'main' branch
    		51 | 
    		52 |   visibility = "private"
    		53 | }
    
    Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
    	FAILED for resource: aws_kms_key.github_action_runner
    	File: /deprecated/github-actions-runner/kms.tf:1-8
    
    		1 | resource "aws_kms_key" "github_action_runner" {
    		2 |   count = local.enabled ? 1 : 0
    		3 | 
    		4 |   description             = "Github Action Runners key used for decryption - ${module.github_action_controller_label.id}"
    		5 |   enable_key_rotation     = true
    		6 |   deletion_window_in_days = 30
    		7 |   tags                    = module.github_action_controller_label.tags
    		8 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.acl_arn
    	File: /deprecated/aws-waf-acl/main.tf:30-37
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		30 | resource "aws_ssm_parameter" "acl_arn" {
    		31 |   count       = local.enabled ? 1 : 0
    		32 |   name        = "${var.ssm_path_prefix}/${var.acl_name}/arn"
    		33 |   value       = module.aws_waf.arn
    		34 |   description = "ARN for WAF web ACL ${var.acl_name}"
    		35 |   type        = "String"
    		36 |   overwrite   = true
    		37 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.account_id
    	File: /deprecated/aws/accounts/stage/main.tf:16-23
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		16 | resource "aws_ssm_parameter" "account_id" {
    		17 |   count       = local.count
    		18 |   name        = "/${var.namespace}/${var.stage}/account_id"
    		19 |   description = "AWS Account ID"
    		20 |   type        = "String"
    		21 |   value       = local.account_id
    		22 |   overwrite   = "true"
    		23 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.account_arn
    	File: /deprecated/aws/accounts/stage/main.tf:25-32
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		25 | resource "aws_ssm_parameter" "account_arn" {
    		26 |   count       = local.count
    		27 |   name        = "/${var.namespace}/${var.stage}/account_arn"
    		28 |   description = "AWS Account ARN"
    		29 |   type        = "String"
    		30 |   value       = local.account_arn
    		31 |   overwrite   = "true"
    		32 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.organization_account_access_role
    	File: /deprecated/aws/accounts/stage/main.tf:34-41
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		34 | resource "aws_ssm_parameter" "organization_account_access_role" {
    		35 |   count       = local.count
    		36 |   name        = "/${var.namespace}/${var.stage}/organization_account_access_role"
    		37 |   description = "AWS Organization Account Access Role"
    		38 |   type        = "String"
    		39 |   value       = local.organization_account_access_role
    		40 |   overwrite   = "true"
    		41 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.certificate_arn_parameter
    	File: /deprecated/aws/acm-teleport/main.tf:23-29
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		23 | resource "aws_ssm_parameter" "certificate_arn_parameter" {
    		24 |   name        = format(var.chamber_parameter_name, var.chamber_service, var.certificate_arn_parameter_name)
    		25 |   value       = module.certificate.arn
    		26 |   description = "Teleport ACM-issued TLS Certificate AWS ARN"
    		27 |   type        = "String"
    		28 |   overwrite   = "true"
    		29 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.certificate_arn_parameter
    	File: /deprecated/aws/acm/main.tf:22-28
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		22 | resource "aws_ssm_parameter" "certificate_arn_parameter" {
    		23 |   name        = format(var.chamber_parameter_name_format, var.chamber_service, var.certificate_arn_parameter_name)
    		24 |   value       = module.certificate.arn
    		25 |   description = "ACM-issued TLS Certificate ARN"
    		26 |   type        = "String"
    		27 |   overwrite   = true
    		28 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aws_metrics_iam_role
    	File: /deprecated/aws/aws-metrics-role/main.tf:117-123
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		117 | resource "aws_ssm_parameter" "aws_metrics_iam_role" {
    		118 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "aws_metrics_iam_role")
    		119 |   value       = aws_iam_role.default.name
    		120 |   description = "IAM role name for AWS metrics access"
    		121 |   type        = "String"
    		122 |   overwrite   = "true"
    		123 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aws_metrics_iam_namespace[0]
    	File: /deprecated/aws/aws-metrics-role/main.tf:125-132
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		125 | resource "aws_ssm_parameter" "aws_metrics_iam_namespace" {
    		126 |   count       = length(var.cloudwatch_namespace) > 0 ? 1 : 0
    		127 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "aws_metrics_iam_namespace")
    		128 |   value       = var.cloudwatch_namespace
    		129 |   description = "Kubernetes namespace for AWS metrics accessors"
    		130 |   type        = "String"
    		131 |   overwrite   = "true"
    		132 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_database_name
    	File: /deprecated/aws/backing-services/aurora-mysql.tf:105-112
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		105 | resource "aws_ssm_parameter" "aurora_mysql_database_name" {
    		106 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		107 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_database_name")
    		108 |   value       = module.aurora_mysql.name
    		109 |   description = "Aurora MySQL Database Name"
    		110 |   type        = "String"
    		111 |   overwrite   = "true"
    		112 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_master_username
    	File: /deprecated/aws/backing-services/aurora-mysql.tf:114-121
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		114 | resource "aws_ssm_parameter" "aurora_mysql_master_username" {
    		115 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		116 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_master_username")
    		117 |   value       = module.aurora_mysql.user
    		118 |   description = "Aurora MySQL Username for the master DB user"
    		119 |   type        = "String"
    		120 |   overwrite   = "true"
    		121 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_master_password
    	File: /deprecated/aws/backing-services/aurora-mysql.tf:123-130
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		123 | resource "aws_ssm_parameter" "aurora_mysql_master_password" {
    		124 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		125 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_master_password")
    		126 |   value       = module.aurora_mysql.password
    		127 |   description = "Aurora MySQL Password for the master DB user"
    		128 |   type        = "String"
    		129 |   overwrite   = "true"
    		130 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_master_hostname
    	File: /deprecated/aws/backing-services/aurora-mysql.tf:132-139
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		132 | resource "aws_ssm_parameter" "aurora_mysql_master_hostname" {
    		133 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		134 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_master_hostname")
    		135 |   value       = module.aurora_mysql.master_host
    		136 |   description = "Aurora MySQL DB Master hostname"
    		137 |   type        = "String"
    		138 |   overwrite   = "true"
    		139 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_replicas_hostname
    	File: /deprecated/aws/backing-services/aurora-mysql.tf:141-148
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		141 | resource "aws_ssm_parameter" "aurora_mysql_replicas_hostname" {
    		142 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		143 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_replicas_hostname")
    		144 |   value       = module.aurora_mysql.replicas_host
    		145 |   description = "Aurora MySQL DB Replicas hostname"
    		146 |   type        = "String"
    		147 |   overwrite   = "true"
    		148 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_cluster_name
    	File: /deprecated/aws/backing-services/aurora-mysql.tf:150-157
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		150 | resource "aws_ssm_parameter" "aurora_mysql_cluster_name" {
    		151 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		152 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_mysql_cluster_name")
    		153 |   value       = module.aurora_mysql.cluster_name
    		154 |   description = "Aurora MySQL DB Cluster Identifier"
    		155 |   type        = "String"
    		156 |   overwrite   = "true"
    		157 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.postgres_replica_hostname
    	File: /deprecated/aws/backing-services/aurora-postgres-replica.tf:55-62
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		55 | resource "aws_ssm_parameter" "postgres_replica_hostname" {
    		56 |   count       = local.postgres_replica_enabled ? 1 : 0
    		57 |   name        = format(var.chamber_parameter_name, local.chamber_service, "postgres_replica_hostname")
    		58 |   value       = module.postgres_replica.hostname
    		59 |   description = "RDS Cluster replica hostname"
    		60 |   type        = "String"
    		61 |   overwrite   = "true"
    		62 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.postgres_replica_endpoint
    	File: /deprecated/aws/backing-services/aurora-postgres-replica.tf:64-71
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		64 | resource "aws_ssm_parameter" "postgres_replica_endpoint" {
    		65 |   count       = local.postgres_replica_enabled ? 1 : 0
    		66 |   name        = format(var.chamber_parameter_name, local.chamber_service, "postgres_replica_endpoint")
    		67 |   value       = module.postgres_replica.endpoint
    		68 |   description = "RDS Cluster Replicas hostname"
    		69 |   type        = "String"
    		70 |   overwrite   = "true"
    		71 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_database_name
    	File: /deprecated/aws/backing-services/aurora-postgres.tf:104-111
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		104 | resource "aws_ssm_parameter" "aurora_postgres_database_name" {
    		105 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		106 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_database_name")
    		107 |   value       = module.aurora_postgres.name
    		108 |   description = "Aurora Postgres Database Name"
    		109 |   type        = "String"
    		110 |   overwrite   = "true"
    		111 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_username
    	File: /deprecated/aws/backing-services/aurora-postgres.tf:113-120
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		113 | resource "aws_ssm_parameter" "aurora_postgres_master_username" {
    		114 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		115 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_master_username")
    		116 |   value       = module.aurora_postgres.user
    		117 |   description = "Aurora Postgres Username for the master DB user"
    		118 |   type        = "String"
    		119 |   overwrite   = "true"
    		120 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_password
    	File: /deprecated/aws/backing-services/aurora-postgres.tf:122-129
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		122 | resource "aws_ssm_parameter" "aurora_postgres_master_password" {
    		123 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		124 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_master_password")
    		125 |   value       = module.aurora_postgres.password
    		126 |   description = "Aurora Postgres Password for the master DB user"
    		127 |   type        = "String"
    		128 |   overwrite   = "true"
    		129 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_hostname
    	File: /deprecated/aws/backing-services/aurora-postgres.tf:131-138
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		131 | resource "aws_ssm_parameter" "aurora_postgres_master_hostname" {
    		132 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		133 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_master_hostname")
    		134 |   value       = module.aurora_postgres.master_host
    		135 |   description = "Aurora Postgres DB Master hostname"
    		136 |   type        = "String"
    		137 |   overwrite   = "true"
    		138 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_replicas_hostname
    	File: /deprecated/aws/backing-services/aurora-postgres.tf:140-147
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		140 | resource "aws_ssm_parameter" "aurora_postgres_replicas_hostname" {
    		141 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		142 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_replicas_hostname")
    		143 |   value       = module.aurora_postgres.replicas_host
    		144 |   description = "Aurora Postgres DB Replicas hostname"
    		145 |   type        = "String"
    		146 |   overwrite   = "true"
    		147 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_cluster_name
    	File: /deprecated/aws/backing-services/aurora-postgres.tf:149-156
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		149 | resource "aws_ssm_parameter" "aurora_postgres_cluster_name" {
    		150 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		151 |   name        = format(var.chamber_parameter_name, local.chamber_service, "aurora_postgres_cluster_name")
    		152 |   value       = module.aurora_postgres.cluster_name
    		153 |   description = "Aurora Postgres DB Cluster Identifier"
    		154 |   type        = "String"
    		155 |   overwrite   = "true"
    		156 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_replica_hostname
    	File: /deprecated/aws/backing-services/rds-replica.tf:138-145
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		138 | resource "aws_ssm_parameter" "rds_replica_hostname" {
    		139 |   count       = local.rds_replica_enabled ? 1 : 0
    		140 |   name        = format(var.chamber_parameter_name, local.chamber_service, "rds_replica_hostname")
    		141 |   value       = module.rds_replica.hostname
    		142 |   description = "RDS replica hostname"
    		143 |   type        = "String"
    		144 |   overwrite   = "true"
    		145 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_replica_port
    	File: /deprecated/aws/backing-services/rds-replica.tf:147-154
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		147 | resource "aws_ssm_parameter" "rds_replica_port" {
    		148 |   count       = local.rds_replica_enabled ? 1 : 0
    		149 |   name        = format(var.chamber_parameter_name, local.chamber_service, "rds_replica_port")
    		150 |   value       = var.rds_replica_port
    		151 |   description = "RDS replica port"
    		152 |   type        = "String"
    		153 |   overwrite   = "true"
    		154 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_db_name
    	File: /deprecated/aws/backing-services/rds.tf:201-208
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		201 | resource "aws_ssm_parameter" "rds_db_name" {
    		202 |   count       = local.rds_enabled ? 1 : 0
    		203 |   name        = format(var.chamber_parameter_name, local.chamber_service, "rds_db_name")
    		204 |   value       = local.rds_db_name
    		205 |   description = "RDS Database Name"
    		206 |   type        = "String"
    		207 |   overwrite   = "true"
    		208 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_admin_username
    	File: /deprecated/aws/backing-services/rds.tf:210-217
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		210 | resource "aws_ssm_parameter" "rds_admin_username" {
    		211 |   count       = local.rds_enabled ? 1 : 0
    		212 |   name        = format(var.chamber_parameter_name, local.chamber_service, "rds_admin_username")
    		213 |   value       = local.rds_admin_user
    		214 |   description = "RDS Username for the admin DB user"
    		215 |   type        = "String"
    		216 |   overwrite   = "true"
    		217 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_admin_password
    	File: /deprecated/aws/backing-services/rds.tf:219-226
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		219 | resource "aws_ssm_parameter" "rds_admin_password" {
    		220 |   count       = local.rds_enabled ? 1 : 0
    		221 |   name        = format(var.chamber_parameter_name, local.chamber_service, "rds_admin_password")
    		222 |   value       = local.rds_admin_password
    		223 |   description = "RDS Password for the admin DB user"
    		224 |   type        = "String"
    		225 |   overwrite   = "true"
    		226 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_hostname
    	File: /deprecated/aws/backing-services/rds.tf:228-235
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		228 | resource "aws_ssm_parameter" "rds_hostname" {
    		229 |   count       = local.rds_enabled ? 1 : 0
    		230 |   name        = format(var.chamber_parameter_name, local.chamber_service, "rds_hostname")
    		231 |   value       = module.rds.hostname
    		232 |   description = "RDS hostname"
    		233 |   type        = "String"
    		234 |   overwrite   = "true"
    		235 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_port
    	File: /deprecated/aws/backing-services/rds.tf:237-244
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		237 | resource "aws_ssm_parameter" "rds_port" {
    		238 |   count       = local.rds_enabled ? 1 : 0
    		239 |   name        = format(var.chamber_parameter_name, local.chamber_service, "rds_port")
    		240 |   value       = var.rds_port
    		241 |   description = "RDS port"
    		242 |   type        = "String"
    		243 |   overwrite   = "true"
    		244 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.datadog_cluster_agent_token
    	File: /deprecated/aws/datadog/main.tf:45-51
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		45 | resource "aws_ssm_parameter" "datadog_cluster_agent_token" {
    		46 |   name        = format(var.chamber_parameter_name, local.chamber_service, "datadog_cluster_agent_token")
    		47 |   value       = random_string.tokens.result
    		48 |   description = "A cluster-internal secret for agent-to-agent communication. Must be 32+ characters a-zA-Z"
    		49 |   type        = "String"
    		50 |   overwrite   = "true"
    		51 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.dynamodb_table_name
    	File: /deprecated/aws/dynamodb/ssm.tf:5-12
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		5  | resource "aws_ssm_parameter" "dynamodb_table_name" {
    		6  |   count       = var.chamber_parameters_enabled ? 1 : 0
    		7  |   name        = format(var.chamber_parameter_name, local.dynamodb_chamber_service, "dynamodb_table_name")
    		8  |   value       = module.dynamodb.table_name
    		9  |   description = "DynamoDB table name"
    		10 |   type        = "String"
    		11 |   overwrite   = true
    		12 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.dynamodb_table_id
    	File: /deprecated/aws/dynamodb/ssm.tf:14-21
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		14 | resource "aws_ssm_parameter" "dynamodb_table_id" {
    		15 |   count       = var.chamber_parameters_enabled ? 1 : 0
    		16 |   name        = format(var.chamber_parameter_name, local.dynamodb_chamber_service, "dynamodb_table_id")
    		17 |   value       = module.dynamodb.table_id
    		18 |   description = "DynamoDB table ID"
    		19 |   type        = "String"
    		20 |   overwrite   = true
    		21 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.dynamodb_table_arn
    	File: /deprecated/aws/dynamodb/ssm.tf:23-30
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		23 | resource "aws_ssm_parameter" "dynamodb_table_arn" {
    		24 |   count       = var.chamber_parameters_enabled ? 1 : 0
    		25 |   name        = format(var.chamber_parameter_name, local.dynamodb_chamber_service, "dynamodb_table_arn")
    		26 |   value       = module.dynamodb.table_arn
    		27 |   description = "DynamoDB table ARN"
    		28 |   type        = "String"
    		29 |   overwrite   = true
    		30 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.elasticsearch_domain_endpoint
    	File: /deprecated/aws/elasticsearch/main.tf:116-127
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		116 | resource "aws_ssm_parameter" "elasticsearch_domain_endpoint" {
    		117 |   count = var.chamber_parameters_enabled ? 1 : 0
    		118 |   name = format(
    		119 |     var.chamber_parameter_name,
    		120 |     local.elasticsearch_chamber_service,
    		121 |     "elasticsearch_domain_endpoint"
    		122 |   )
    		123 |   value       = module.elasticsearch.domain_endpoint
    		124 |   description = "Domain-specific endpoint used to submit index, search, and data upload requests"
    		125 |   type        = "String"
    		126 |   overwrite   = true
    		127 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.elasticsearch_kibana_endpoint
    	File: /deprecated/aws/elasticsearch/main.tf:129-140
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		129 | resource "aws_ssm_parameter" "elasticsearch_kibana_endpoint" {
    		130 |   count = var.chamber_parameters_enabled ? 1 : 0
    		131 |   name = format(
    		132 |     var.chamber_parameter_name,
    		133 |     local.elasticsearch_chamber_service,
    		134 |     "elasticsearch_kibana_endpoint"
    		135 |   )
    		136 |   value       = module.elasticsearch.kibana_endpoint
    		137 |   description = "Domain-specific endpoint for Kibana without https scheme"
    		138 |   type        = "String"
    		139 |   overwrite   = true
    		140 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_database_name
    	File: /deprecated/aws/grafana-backing-services/aurora-mysql.tf:176-183
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		176 | resource "aws_ssm_parameter" "aurora_mysql_database_name" {
    		177 |   count       = var.mysql_cluster_enabled ? 1 : 0
    		178 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "grafana_db_name")
    		179 |   value       = module.aurora_mysql.database_name
    		180 |   description = "Aurora MySQL Database Name"
    		181 |   type        = "String"
    		182 |   overwrite   = "true"
    		183 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_master_username
    	File: /deprecated/aws/grafana-backing-services/aurora-mysql.tf:185-192
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		185 | resource "aws_ssm_parameter" "aurora_mysql_master_username" {
    		186 |   count       = var.mysql_cluster_enabled ? 1 : 0
    		187 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "grafana_db_user")
    		188 |   value       = module.aurora_mysql.master_username
    		189 |   description = "Aurora MySQL Username for the master DB user"
    		190 |   type        = "String"
    		191 |   overwrite   = "true"
    		192 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_endpoint_hostname
    	File: /deprecated/aws/grafana-backing-services/aurora-mysql.tf:204-211
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		204 | resource "aws_ssm_parameter" "aurora_mysql_endpoint_hostname" {
    		205 |   count       = var.mysql_cluster_enabled ? 1 : 0
    		206 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "grafana_db_host")
    		207 |   value       = module.aurora_mysql.endpoint
    		208 |   description = "Aurora MySQL DB endpoint DNS name"
    		209 |   type        = "String"
    		210 |   overwrite   = "true"
    		211 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_port
    	File: /deprecated/aws/grafana-backing-services/aurora-mysql.tf:213-220
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		213 | resource "aws_ssm_parameter" "aurora_mysql_port" {
    		214 |   count       = var.mysql_cluster_enabled ? 1 : 0
    		215 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "grafana_db_port")
    		216 |   value       = "3306"
    		217 |   description = "Aurora MySQL DB endpoint port"
    		218 |   type        = "String"
    		219 |   overwrite   = "true"
    		220 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_database_name
    	File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:191-198
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		191 | resource "aws_ssm_parameter" "aurora_mysql_database_name" {
    		192 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		193 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_name")
    		194 |   value       = module.aurora_mysql.name
    		195 |   description = "Aurora MySQL Database Name"
    		196 |   type        = "String"
    		197 |   overwrite   = "true"
    		198 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_master_username
    	File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:200-207
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		200 | resource "aws_ssm_parameter" "aurora_mysql_master_username" {
    		201 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		202 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_user")
    		203 |   value       = module.aurora_mysql.user
    		204 |   description = "Aurora MySQL Username for the master DB user"
    		205 |   type        = "String"
    		206 |   overwrite   = "true"
    		207 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_master_hostname
    	File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:219-226
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		219 | resource "aws_ssm_parameter" "aurora_mysql_master_hostname" {
    		220 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		221 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_host")
    		222 |   value       = module.aurora_mysql.master_host
    		223 |   description = "Aurora MySQL DB Master hostname"
    		224 |   type        = "String"
    		225 |   overwrite   = "true"
    		226 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_port
    	File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:228-235
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		228 | resource "aws_ssm_parameter" "aurora_mysql_port" {
    		229 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		230 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_port")
    		231 |   value       = "3306"
    		232 |   description = "Aurora MySQL DB Master hostname"
    		233 |   type        = "String"
    		234 |   overwrite   = "true"
    		235 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_replicas_hostname
    	File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:237-244
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		237 | resource "aws_ssm_parameter" "aurora_mysql_replicas_hostname" {
    		238 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		239 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_aurora_mysql_replicas_hostname")
    		240 |   value       = module.aurora_mysql.replicas_host
    		241 |   description = "Aurora MySQL DB Replicas hostname"
    		242 |   type        = "String"
    		243 |   overwrite   = "true"
    		244 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_mysql_cluster_name
    	File: /deprecated/aws/keycloak-backing-services/aurora-mysql.tf:246-253
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		246 | resource "aws_ssm_parameter" "aurora_mysql_cluster_name" {
    		247 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		248 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_aurora_mysql_cluster_name")
    		249 |   value       = module.aurora_mysql.cluster_name
    		250 |   description = "Aurora MySQL DB Cluster Identifier"
    		251 |   type        = "String"
    		252 |   overwrite   = "true"
    		253 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.keycloak_db_vendor
    	File: /deprecated/aws/keycloak-backing-services/main.tf:65-72
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		65 | resource "aws_ssm_parameter" "keycloak_db_vendor" {
    		66 |   count       = local.mysql_cluster_enabled ? 1 : 0
    		67 |   name        = format(var.chamber_parameter_name_pattern, local.chamber_service, "keycloak_db_vendor")
    		68 |   value       = "mysql"
    		69 |   description = "Database Vendor, e.g. mysql, postgres"
    		70 |   type        = "String"
    		71 |   overwrite   = "true"
    		72 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_autoscaler_iam_role_name
    	File: /deprecated/aws/kops-aws-platform/autoscaler-role.tf:39-45
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		39 | resource "aws_ssm_parameter" "kops_autoscaler_iam_role_name" {
    		40 |   name        = format(local.chamber_parameter_format, var.chamber_service, "kubernetes_autoscaler_iam_role_name")
    		41 |   value       = module.autoscaler_role.name
    		42 |   description = "IAM role name for cluster autoscaler"
    		43 |   type        = "String"
    		44 |   overwrite   = "true"
    		45 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_efs_provisioner_role_name
    	File: /deprecated/aws/kops-aws-platform/efs-provisioner.tf:73-80
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		73 | resource "aws_ssm_parameter" "kops_efs_provisioner_role_name" {
    		74 |   count       = var.efs_enabled == "true" ? 1 : 0
    		75 |   name        = format(local.chamber_parameter_format, var.chamber_service, "kops_efs_provisioner_role_name")
    		76 |   value       = module.kops_efs_provisioner.role_name
    		77 |   description = "IAM role name for EFS provisioner"
    		78 |   type        = "String"
    		79 |   overwrite   = "true"
    		80 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_efs_file_system_id
    	File: /deprecated/aws/kops-aws-platform/efs-provisioner.tf:82-89
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		82 | resource "aws_ssm_parameter" "kops_efs_file_system_id" {
    		83 |   count       = var.efs_enabled == "true" ? 1 : 0
    		84 |   name        = format(local.chamber_parameter_format, var.chamber_service, "kops_efs_file_system_id")
    		85 |   value       = module.kops_efs_provisioner.efs_id
    		86 |   description = "ID for shared EFS file system"
    		87 |   type        = "String"
    		88 |   overwrite   = "true"
    		89 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_cluster_name
    	File: /deprecated/aws/kops/main.tf:138-144
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		138 | resource "aws_ssm_parameter" "kops_cluster_name" {
    		139 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_cluster_name")
    		140 |   value       = module.kops_state_backend.zone_name
    		141 |   description = "Kops cluster name"
    		142 |   type        = "String"
    		143 |   overwrite   = "true"
    		144 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_state_store
    	File: /deprecated/aws/kops/main.tf:146-152
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		146 | resource "aws_ssm_parameter" "kops_state_store" {
    		147 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_state_store")
    		148 |   value       = "s3://${module.kops_state_backend.bucket_name}"
    		149 |   description = "Kops state store S3 bucket name"
    		150 |   type        = "String"
    		151 |   overwrite   = "true"
    		152 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_state_store_region
    	File: /deprecated/aws/kops/main.tf:154-160
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		154 | resource "aws_ssm_parameter" "kops_state_store_region" {
    		155 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_state_store_region")
    		156 |   value       = module.kops_state_backend.bucket_region
    		157 |   description = "Kops state store (S3 bucket) region"
    		158 |   type        = "String"
    		159 |   overwrite   = "true"
    		160 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_dns_zone
    	File: /deprecated/aws/kops/main.tf:162-168
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		162 | resource "aws_ssm_parameter" "kops_dns_zone" {
    		163 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_dns_zone")
    		164 |   value       = module.kops_state_backend.zone_name
    		165 |   description = "Kops DNS zone name"
    		166 |   type        = "String"
    		167 |   overwrite   = "true"
    		168 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_dns_zone_id
    	File: /deprecated/aws/kops/main.tf:170-176
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		170 | resource "aws_ssm_parameter" "kops_dns_zone_id" {
    		171 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_dns_zone_id")
    		172 |   value       = module.kops_state_backend.zone_id
    		173 |   description = "Kops DNS zone ID"
    		174 |   type        = "String"
    		175 |   overwrite   = "true"
    		176 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_network_cidr
    	File: /deprecated/aws/kops/main.tf:178-184
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		178 | resource "aws_ssm_parameter" "kops_network_cidr" {
    		179 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_network_cidr")
    		180 |   value       = local.vpc_network_cidr
    		181 |   description = "CIDR block of the kops virtual network"
    		182 |   type        = "String"
    		183 |   overwrite   = "true"
    		184 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_shared_vpc_id[0]
    	File: /deprecated/aws/kops/main.tf:187-194
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		187 | resource "aws_ssm_parameter" "kops_shared_vpc_id" {
    		188 |   count       = var.create_vpc == "true" ? 0 : 1
    		189 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_vpc_id")
    		190 |   value       = join("", data.aws_ssm_parameter.vpc_id.*.value)
    		191 |   description = "Kops (shared) VPC AWS ID"
    		192 |   type        = "String"
    		193 |   overwrite   = "true"
    		194 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_shared_nat_gateways[0]
    	File: /deprecated/aws/kops/main.tf:197-204
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		197 | resource "aws_ssm_parameter" "kops_shared_nat_gateways" {
    		198 |   count       = var.create_vpc == "true" ? 0 : 1
    		199 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_nat_gateways")
    		200 |   value       = var.use_shared_nat_gateways == "true" ? join("", data.aws_ssm_parameter.nat_gateways.*.value) : replace(local.private_subnet_cidrs, "/[^,]+/", "External")
    		201 |   description = "Kops (shared) private subnet NAT gateway AWS IDs"
    		202 |   type        = "String"
    		203 |   overwrite   = "true"
    		204 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_shared_private_subnet_ids[0]
    	File: /deprecated/aws/kops/main.tf:207-214
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		207 | resource "aws_ssm_parameter" "kops_shared_private_subnet_ids" {
    		208 |   count       = var.create_vpc == "true" ? 0 : 1
    		209 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_private_subnet_ids")
    		210 |   value       = join("", data.aws_ssm_parameter.private_subnet_ids.*.value)
    		211 |   description = "Kops private subnet AWS IDs"
    		212 |   type        = "String"
    		213 |   overwrite   = "true"
    		214 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_shared_utility_subnet_ids[0]
    	File: /deprecated/aws/kops/main.tf:217-224
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		217 | resource "aws_ssm_parameter" "kops_shared_utility_subnet_ids" {
    		218 |   count       = var.create_vpc == "true" ? 0 : 1
    		219 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_shared_utility_subnet_ids")
    		220 |   value       = join("", data.aws_ssm_parameter.public_subnet_ids.*.value)
    		221 |   description = "Kops utility subnet AWS IDs"
    		222 |   type        = "String"
    		223 |   overwrite   = "true"
    		224 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_private_subnets
    	File: /deprecated/aws/kops/main.tf:226-232
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		226 | resource "aws_ssm_parameter" "kops_private_subnets" {
    		227 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_private_subnets")
    		228 |   value       = local.private_subnet_cidrs
    		229 |   description = "Kops private subnet CIDRs"
    		230 |   type        = "String"
    		231 |   overwrite   = "true"
    		232 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_utility_subnets
    	File: /deprecated/aws/kops/main.tf:234-240
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		234 | resource "aws_ssm_parameter" "kops_utility_subnets" {
    		235 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_utility_subnets")
    		236 |   value       = local.utility_subnet_cidrs
    		237 |   description = "Kops utility subnet CIDRs"
    		238 |   type        = "String"
    		239 |   overwrite   = "true"
    		240 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_non_masquerade_cidr
    	File: /deprecated/aws/kops/main.tf:242-248
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		242 | resource "aws_ssm_parameter" "kops_non_masquerade_cidr" {
    		243 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_non_masquerade_cidr")
    		244 |   value       = var.kops_non_masquerade_cidr
    		245 |   description = "The CIDR range for Pod IPs"
    		246 |   type        = "String"
    		247 |   overwrite   = "true"
    		248 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.kops_availability_zones
    	File: /deprecated/aws/kops/main.tf:250-256
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		250 | resource "aws_ssm_parameter" "kops_availability_zones" {
    		251 |   name        = format(var.chamber_parameter_name, local.chamber_service, "kops_availability_zones")
    		252 |   value       = join(",", local.availability_zones)
    		253 |   description = "Kops availability zones in which cluster will be provisioned"
    		254 |   type        = "String"
    		255 |   overwrite   = "true"
    		256 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_database_name[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:130-137
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		130 | resource "aws_ssm_parameter" "aurora_postgres_database_name" {
    		131 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		132 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_database")
    		133 |   value       = module.aurora_postgres.database_name
    		134 |   description = "Aurora Postgres Database Name for Sentry"
    		135 |   type        = "String"
    		136 |   overwrite   = true
    		137 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_username[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:139-146
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		139 | resource "aws_ssm_parameter" "aurora_postgres_master_username" {
    		140 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		141 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_user")
    		142 |   value       = module.aurora_postgres.master_username
    		143 |   description = "Aurora Postgres Username for Sentry's master DB user"
    		144 |   type        = "String"
    		145 |   overwrite   = true
    		146 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_password[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:148-155
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		148 | resource "aws_ssm_parameter" "aurora_postgres_master_password" {
    		149 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		150 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_password")
    		151 |   value       = local.postgres_admin_password
    		152 |   description = "Aurora Postgres Password for Sentry's master DB user"
    		153 |   type        = "String"
    		154 |   overwrite   = true
    		155 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_master_hostname[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:157-164
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		157 | resource "aws_ssm_parameter" "aurora_postgres_master_hostname" {
    		158 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		159 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_host")
    		160 |   value       = module.aurora_postgres.master_host
    		161 |   description = "Aurora Postgres DB Master hostname"
    		162 |   type        = "String"
    		163 |   overwrite   = true
    		164 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_replicas_hostname[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:166-173
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		166 | resource "aws_ssm_parameter" "aurora_postgres_replicas_hostname" {
    		167 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		168 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_replicas_hostname")
    		169 |   value       = module.aurora_postgres.replicas_host
    		170 |   description = "Aurora Postgres DB Replicas hostname"
    		171 |   type        = "String"
    		172 |   overwrite   = true
    		173 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.aurora_postgres_cluster_name[0]
    	File: /deprecated/aws/sentry/aurora-postgres.tf:175-182
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		175 | resource "aws_ssm_parameter" "aurora_postgres_cluster_name" {
    		176 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		177 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_postgres_cluster_name")
    		178 |   value       = module.aurora_postgres.cluster_identifier
    		179 |   description = "Aurora Postgres DB Cluster Identifier"
    		180 |   type        = "String"
    		181 |   overwrite   = true
    		182 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.elasticache_redis_host[0]
    	File: /deprecated/aws/sentry/elasticache-redis.tf:63-70
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		63 | resource "aws_ssm_parameter" "elasticache_redis_host" {
    		64 |   count       = local.postgres_cluster_enabled ? 1 : 0
    		65 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_redis_host")
    		66 |   value       = module.elasticache_redis.host
    		67 |   description = "Elasticache host for Sentry"
    		68 |   type        = "String"
    		69 |   overwrite   = true
    		70 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.sentry_secret
    	File: /deprecated/aws/sentry/main.tf:42-48
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		42 | resource "aws_ssm_parameter" "sentry_secret" {
    		43 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_secret")
    		44 |   value       = random_string.sentry_secret_key.result
    		45 |   description = "Secret Key for Sentry to encrypt sessions"
    		46 |   type        = "String"
    		47 |   overwrite   = true
    		48 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.sentry_admin_user_password
    	File: /deprecated/aws/sentry/main.tf:50-56
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		50 | resource "aws_ssm_parameter" "sentry_admin_user_password" {
    		51 |   name        = format(local.chamber_parameter_format, local.chamber_service, "sentry_admin_user_password")
    		52 |   value       = random_string.sentry_admin_user_password.result
    		53 |   description = "Password for Sentry admin user"
    		54 |   type        = "String"
    		55 |   overwrite   = true
    		56 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_audit_sessions_uri
    	File: /deprecated/aws/teleport/main.tf:144-150
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		144 | resource "aws_ssm_parameter" "teleport_audit_sessions_uri" {
    		145 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_audit_sessions_uri")
    		146 |   value       = "s3://${module.teleport_backend.s3_bucket_id}"
    		147 |   description = "Teleport session logs storage URI"
    		148 |   type        = "String"
    		149 |   overwrite   = "true"
    		150 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_audit_events_uri
    	File: /deprecated/aws/teleport/main.tf:152-158
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		152 | resource "aws_ssm_parameter" "teleport_audit_events_uri" {
    		153 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_audit_events_uri")
    		154 |   value       = "dynamodb://${module.teleport_backend.dynamodb_audit_table_id}"
    		155 |   description = "Teleport audite events storage URI"
    		156 |   type        = "String"
    		157 |   overwrite   = "true"
    		158 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_cluster_state_dynamodb_table
    	File: /deprecated/aws/teleport/main.tf:160-166
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		160 | resource "aws_ssm_parameter" "teleport_cluster_state_dynamodb_table" {
    		161 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_cluster_state_dynamodb_table")
    		162 |   value       = module.teleport_backend.dynamodb_state_table_id
    		163 |   description = "Teleport cluster state storage dynamodb table"
    		164 |   type        = "String"
    		165 |   overwrite   = "true"
    		166 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_auth_iam_role
    	File: /deprecated/aws/teleport/main.tf:168-174
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		168 | resource "aws_ssm_parameter" "teleport_auth_iam_role" {
    		169 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_auth_iam_role")
    		170 |   value       = aws_iam_role.teleport.name
    		171 |   description = "Teleport auth IAM role"
    		172 |   type        = "String"
    		173 |   overwrite   = "true"
    		174 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_kubernetes_namespace
    	File: /deprecated/aws/teleport/main.tf:176-182
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		176 | resource "aws_ssm_parameter" "teleport_kubernetes_namespace" {
    		177 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_kubernetes_namespace")
    		178 |   value       = var.kubernetes_namespace
    		179 |   description = "Teleport auth IAM role"
    		180 |   type        = "String"
    		181 |   overwrite   = "true"
    		182 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_tokens[0]
    	File: /deprecated/aws/teleport/main.tf:198-205
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		198 | resource "aws_ssm_parameter" "teleport_tokens" {
    		199 |   count       = length(local.token_names)
    		200 |   name        = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
    		201 |   value       = element(random_string.tokens.*.result, count.index)
    		202 |   description = "Teleport join token: ${element(local.token_names, count.index)}"
    		203 |   type        = "String"
    		204 |   overwrite   = "true"
    		205 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_proxy_domain_name
    	File: /deprecated/aws/teleport/main.tf:207-213
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		207 | resource "aws_ssm_parameter" "teleport_proxy_domain_name" {
    		208 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_proxy_domain_name")
    		209 |   value       = var.teleport_proxy_domain_name
    		210 |   description = "Teleport Proxy domain name"
    		211 |   type        = "String"
    		212 |   overwrite   = "true"
    		213 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_version
    	File: /deprecated/aws/teleport/main.tf:215-221
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		215 | resource "aws_ssm_parameter" "teleport_version" {
    		216 |   name        = format(var.chamber_parameter_name, local.chamber_service, "teleport_version")
    		217 |   value       = var.teleport_version
    		218 |   description = "Teleport version to install"
    		219 |   type        = "String"
    		220 |   overwrite   = "true"
    		221 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.vpc_id
    	File: /deprecated/aws/vpc/main.tf:62-68
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		62 | resource "aws_ssm_parameter" "vpc_id" {
    		63 |   description = "VPC ID of backing services"
    		64 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "vpc_id")
    		65 |   value       = module.vpc.vpc_id
    		66 |   type        = "String"
    		67 |   overwrite   = "true"
    		68 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.igw_id
    	File: /deprecated/aws/vpc/main.tf:70-76
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		70 | resource "aws_ssm_parameter" "igw_id" {
    		71 |   description = "VPC ID of backing services"
    		72 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "igw_id")
    		73 |   value       = module.vpc.igw_id
    		74 |   type        = "String"
    		75 |   overwrite   = "true"
    		76 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.cidr_block
    	File: /deprecated/aws/vpc/main.tf:78-84
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		78 | resource "aws_ssm_parameter" "cidr_block" {
    		79 |   description = "VPC ID of backing services"
    		80 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "cidr_block")
    		81 |   value       = module.vpc.vpc_cidr_block
    		82 |   type        = "String"
    		83 |   overwrite   = "true"
    		84 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.availability_zones
    	File: /deprecated/aws/vpc/main.tf:86-92
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		86 | resource "aws_ssm_parameter" "availability_zones" {
    		87 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "availability_zones")
    		88 |   value       = join(",", local.availability_zones)
    		89 |   description = "VPC subnet availability zones"
    		90 |   type        = "String"
    		91 |   overwrite   = "true"
    		92 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.nat_gateways
    	File: /deprecated/aws/vpc/main.tf:94-101
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		94  | resource "aws_ssm_parameter" "nat_gateways" {
    		95  |   count       = var.vpc_nat_gateway_enabled == "true" ? 1 : 0
    		96  |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "nat_gateways")
    		97  |   value       = join(",", module.subnets.nat_gateway_ids)
    		98  |   description = "VPC private NAT gateways"
    		99  |   type        = "String"
    		100 |   overwrite   = "true"
    		101 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.nat_instances
    	File: /deprecated/aws/vpc/main.tf:103-110
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		103 | resource "aws_ssm_parameter" "nat_instances" {
    		104 |   count       = var.vpc_nat_instance_enabled == "true" ? 1 : 0
    		105 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "nat_instances")
    		106 |   value       = join(",", module.subnets.nat_instance_ids)
    		107 |   description = "VPC private NAT instances"
    		108 |   type        = "String"
    		109 |   overwrite   = "true"
    		110 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.private_subnet_cidrs
    	File: /deprecated/aws/vpc/main.tf:112-118
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		112 | resource "aws_ssm_parameter" "private_subnet_cidrs" {
    		113 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "private_subnet_cidrs")
    		114 |   value       = join(",", module.subnets.private_subnet_cidrs)
    		115 |   description = "VPC private subnet CIDRs"
    		116 |   type        = "String"
    		117 |   overwrite   = "true"
    		118 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.private_subnet_ids
    	File: /deprecated/aws/vpc/main.tf:120-126
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		120 | resource "aws_ssm_parameter" "private_subnet_ids" {
    		121 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "private_subnet_ids")
    		122 |   value       = join(",", module.subnets.private_subnet_ids)
    		123 |   description = "VPC private subnet AWS IDs"
    		124 |   type        = "String"
    		125 |   overwrite   = "true"
    		126 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.public_subnet_cidrs
    	File: /deprecated/aws/vpc/main.tf:128-134
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		128 | resource "aws_ssm_parameter" "public_subnet_cidrs" {
    		129 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "public_subnet_cidrs")
    		130 |   value       = join(",", module.subnets.public_subnet_cidrs)
    		131 |   description = "VPC public subnet CIDRs"
    		132 |   type        = "String"
    		133 |   overwrite   = "true"
    		134 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.public_subnet_ids
    	File: /deprecated/aws/vpc/main.tf:136-142
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		136 | resource "aws_ssm_parameter" "public_subnet_ids" {
    		137 |   name        = format(var.chamber_parameter_name, local.chamber_service, module.parameter_prefix.id, "public_subnet_ids")
    		138 |   value       = join(",", module.subnets.public_subnet_ids)
    		139 |   description = "VPC public subnet AWS IDs"
    		140 |   type        = "String"
    		141 |   overwrite   = "true"
    		142 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.acm_arn
    	File: /modules/acm/main.tf:38-48
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		38 | resource "aws_ssm_parameter" "acm_arn" {
    		39 |   count = local.enabled ? 1 : 0
    		40 | 
    		41 |   name        = "/acm/${local.domain_name}"
    		42 |   value       = module.acm.arn
    		43 |   description = format("ACM certificate ARN for '%s' domain", local.domain_name)
    		44 |   type        = "String"
    		45 |   overwrite   = true
    		46 | 
    		47 |   tags = module.this.tags
    		48 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.acm_arn
    	File: /modules/dns-delegated/acm.tf:36-46
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		36 | resource "aws_ssm_parameter" "acm_arn" {
    		37 |   for_each = local.certificate_enabled ? local.zone_map : {}
    		38 | 
    		39 |   name        = format("/acm/%s.%s", each.key, each.value)
    		40 |   value       = module.acm[each.key].arn
    		41 |   description = "ACM certificate id"
    		42 |   type        = "String"
    		43 |   overwrite   = true
    		44 | 
    		45 |   tags = module.this.tags
    		46 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.master_username
    	File: /modules/documentdb/ssm.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		1 | resource "aws_ssm_parameter" "master_username" {
    		2 |   count = local.enabled ? 1 : 0
    		3 | 
    		4 |   name  = "/${module.this.name}/master_username"
    		5 |   type  = "String"
    		6 |   value = var.master_username
    		7 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.full_urls
    	File: /modules/ecs-service/systems-manager.tf:48-59
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		48 | resource "aws_ssm_parameter" "full_urls" {
    		49 |   for_each = local.ssm_enabled ? local.params : {}
    		50 | 
    		51 |   name        = each.key
    		52 |   description = each.value.description
    		53 |   type        = each.value.type
    		54 |   key_id      = var.kms_alias_name_ssm
    		55 |   value       = each.value.value
    		56 |   overwrite   = true
    		57 | 
    		58 |   tags = module.this.tags
    		59 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.elasticsearch_domain_endpoint
    	File: /modules/elasticsearch/main.tf:84-91
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		84 | resource "aws_ssm_parameter" "elasticsearch_domain_endpoint" {
    		85 |   count       = local.enabled ? 1 : 0
    		86 |   name        = local.elasticsearch_domain_endpoint
    		87 |   value       = module.elasticsearch.domain_endpoint
    		88 |   description = "Domain-specific endpoint used to submit index, search, and data upload requests"
    		89 |   type        = "String"
    		90 |   overwrite   = true
    		91 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.elasticsearch_kibana_endpoint
    	File: /modules/elasticsearch/main.tf:93-100
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		93  | resource "aws_ssm_parameter" "elasticsearch_kibana_endpoint" {
    		94  |   count       = local.enabled ? 1 : 0
    		95  |   name        = local.elasticsearch_kibana_endpoint
    		96  |   value       = module.elasticsearch.kibana_endpoint
    		97  |   description = "Domain-specific endpoint for Kibana without https scheme"
    		98  |   type        = "String"
    		99  |   overwrite   = true
    		100 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_database_user
    	File: /modules/rds/systems-manager.tf:54-62
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		54 | resource "aws_ssm_parameter" "rds_database_user" {
    		55 |   count = local.ssm_enabled ? 1 : 0
    		56 | 
    		57 |   name        = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_user)
    		58 |   value       = local.database_user
    		59 |   description = "RDS DB user"
    		60 |   type        = "String"
    		61 |   overwrite   = true
    		62 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_database_hostname
    	File: /modules/rds/systems-manager.tf:75-83
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		75 | resource "aws_ssm_parameter" "rds_database_hostname" {
    		76 |   count = local.ssm_enabled ? 1 : 0
    		77 | 
    		78 |   name        = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_hostname)
    		79 |   value       = module.rds_instance.hostname == "" ? module.rds_instance.instance_address : module.rds_instance.hostname
    		80 |   description = "RDS DB hostname"
    		81 |   type        = "String"
    		82 |   overwrite   = true
    		83 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.rds_database_port
    	File: /modules/rds/systems-manager.tf:85-93
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		85 | resource "aws_ssm_parameter" "rds_database_port" {
    		86 |   count = local.ssm_enabled ? 1 : 0
    		87 | 
    		88 |   name        = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_port)
    		89 |   value       = var.database_port
    		90 |   description = "RDS DB port"
    		91 |   type        = "String"
    		92 |   overwrite   = true
    		93 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.redshift_database_name
    	File: /modules/redshift/systems-manager.tf:54-62
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		54 | resource "aws_ssm_parameter" "redshift_database_name" {
    		55 |   count = local.ssm_enabled ? 1 : 0
    		56 | 
    		57 |   name        = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_port)
    		58 |   value       = local.database_name
    		59 |   description = "Redshift DB port"
    		60 |   type        = "String"
    		61 |   overwrite   = true
    		62 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.redshift_database_user
    	File: /modules/redshift/systems-manager.tf:64-72
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		64 | resource "aws_ssm_parameter" "redshift_database_user" {
    		65 |   count = local.ssm_enabled ? 1 : 0
    		66 | 
    		67 |   name        = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_user)
    		68 |   value       = local.admin_user
    		69 |   description = "Redshift DB user"
    		70 |   type        = "String"
    		71 |   overwrite   = true
    		72 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.redshift_database_hostname
    	File: /modules/redshift/systems-manager.tf:85-93
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		85 | resource "aws_ssm_parameter" "redshift_database_hostname" {
    		86 |   count = local.ssm_enabled ? 1 : 0
    		87 | 
    		88 |   name        = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_hostname)
    		89 |   value       = module.redshift_cluster.endpoint
    		90 |   description = "Redshift DB hostname"
    		91 |   type        = "String"
    		92 |   overwrite   = true
    		93 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.redshift_database_port
    	File: /modules/redshift/systems-manager.tf:95-103
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		95  | resource "aws_ssm_parameter" "redshift_database_port" {
    		96  |   count = local.ssm_enabled ? 1 : 0
    		97  | 
    		98  |   name        = format(var.ssm_key_format, var.ssm_key_prefix, var.name, var.ssm_key_port)
    		99  |   value       = var.port
    		100 |   description = "Redshift DB port"
    		101 |   type        = "String"
    		102 |   overwrite   = true
    		103 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.destination
    	File: /modules/ssm-parameters/main.tf:28-40
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		28 | resource "aws_ssm_parameter" "destination" {
    		29 |   for_each = local.params
    		30 | 
    		31 |   name        = each.key
    		32 |   description = each.value.description
    		33 |   tier        = each.value.tier
    		34 |   type        = each.value.type
    		35 |   key_id      = var.kms_arn
    		36 |   value       = each.value.value
    		37 |   overwrite   = each.value.overwrite
    		38 | 
    		39 |   tags = module.this.tags
    		40 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.acl_arn
    	File: /modules/waf/main.tf:56-65
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		56 | resource "aws_ssm_parameter" "acl_arn" {
    		57 |   count = local.enabled ? 1 : 0
    		58 | 
    		59 |   name        = "${var.ssm_path_prefix}/${var.acl_name}/arn"
    		60 |   value       = module.aws_waf.arn
    		61 |   description = "ARN for WAF web ACL ${var.acl_name}"
    		62 |   type        = "String"
    		63 |   overwrite   = true
    		64 |   tags        = module.this.tags
    		65 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_tokens[1]
    	File: /deprecated/aws/teleport/main.tf:198-205
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		198 | resource "aws_ssm_parameter" "teleport_tokens" {
    		199 |   count       = length(local.token_names)
    		200 |   name        = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
    		201 |   value       = element(random_string.tokens.*.result, count.index)
    		202 |   description = "Teleport join token: ${element(local.token_names, count.index)}"
    		203 |   type        = "String"
    		204 |   overwrite   = "true"
    		205 | }
    
    Check: CKV2_AWS_34: "AWS SSM Parameter should be Encrypted"
    	FAILED for resource: aws_ssm_parameter.teleport_tokens[2]
    	File: /deprecated/aws/teleport/main.tf:198-205
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-aws-ssm-parameter-is-encrypted.html
    
    		198 | resource "aws_ssm_parameter" "teleport_tokens" {
    		199 |   count       = length(local.token_names)
    		200 |   name        = format(var.chamber_parameter_name, local.chamber_service, "${element(local.token_names, count.index)}")
    		201 |   value       = element(random_string.tokens.*.result, count.index)
    		202 |   description = "Teleport join token: ${element(local.token_names, count.index)}"
    		203 |   type        = "String"
    		204 |   overwrite   = "true"
    		205 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.dns_zone
    	File: /deprecated/aws/account-dns/main.tf:22-24
    
    		22 | resource "aws_route53_zone" "dns_zone" {
    		23 |   name = var.domain_name
    		24 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.parent_dns_zone
    	File: /deprecated/aws/root-dns/parent.tf:6-9
    
    		6 | resource "aws_route53_zone" "parent_dns_zone" {
    		7 |   name    = var.parent_domain_name
    		8 |   comment = "Parent domain name"
    		9 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.root_dns_zone
    	File: /deprecated/aws/root-dns/root.tf:6-9
    
    		6 | resource "aws_route53_zone" "root_dns_zone" {
    		7 |   name    = var.root_domain_name
    		8 |   comment = "DNS Zone for Root Account"
    		9 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.default
    	File: /modules/dns-delegated/main.tf:17-25
    
    		17 | resource "aws_route53_zone" "default" {
    		18 |   for_each = local.public_enabled ? local.zone_map : {}
    		19 | 
    		20 |   name    = format("%s.%s", each.key, each.value)
    		21 |   comment = format("DNS zone for %s.%s", each.key, each.value)
    		22 | 
    		23 | 
    		24 |   tags = module.this.tags
    		25 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /modules/dns-delegated/main.tf:27-54
    
    		27 | resource "aws_route53_zone" "private" {
    		28 |   for_each = local.private_enabled ? local.zone_map : {}
    		29 | 
    		30 |   name    = format("%s.%s", each.key, each.value)
    		31 |   comment = format("DNS zone for %s.%s", each.key, each.value)
    		32 | 
    		33 |   # The reason why this isn't in the original route53 zone is because this shows up as an update
    		34 |   # when the aws provider should replace it. Using a separate resource allows the user to toggle
    		35 |   # between private and public without manual targeted destroys.
    		36 |   # See: https://github.com/hashicorp/terraform-provider-aws/issues/7614
    		37 |   dynamic "vpc" {
    		38 |     for_each = local.private_enabled ? [true] : []
    		39 | 
    		40 |     content {
    		41 |       vpc_id = module.vpc[var.vpc_primary_environment_name].outputs.vpc_id
    		42 |     }
    		43 |   }
    		44 | 
    		45 |   tags = module.this.tags
    		46 | 
    		47 |   # Prevent the deletion of associated VPCs after
    		48 |   # the initial creation. See documentation on
    		49 |   # aws_route53_zone_association for details
    		50 |   # See https://github.com/hashicorp/terraform-provider-aws/issues/14872#issuecomment-682008493
    		51 |   lifecycle {
    		52 |     ignore_changes = [vpc]
    		53 |   }
    		54 | }
    
    Check: CKV2_AWS_39: "Ensure Domain Name System (DNS) query logging is enabled for Amazon Route 53 hosted zones"
    	FAILED for resource: aws_route53_zone.root
    	File: /modules/dns-primary/main.tf:7-13
    
    		7  | resource "aws_route53_zone" "root" {
    		8  |   for_each = local.domains_set
    		9  | 
    		10 |   name    = each.value
    		11 |   comment = "DNS zone for the ${each.value} root domain"
    		12 |   tags    = module.this.tags
    		13 | }
    
    Check: CKV2_AWS_3: "Ensure GuardDuty is enabled to specific org/region"
    	FAILED for resource: aws_guardduty_detector.this[0]
    	File: /deprecated/guardduty/root/main.tf:19-29
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-guardduty-is-enabled-to-specific-orgregion.html
    
    		19 | resource "aws_guardduty_detector" "this" {
    		20 |   count = local.enabled && var.administrator_account != null && var.administrator_account != "" ? 1 : 0
    		21 | 
    		22 |   enable = true
    		23 | 
    		24 |   datasources {
    		25 |     s3_logs {
    		26 |       enable = true
    		27 |     }
    		28 |   }
    		29 | }
    
    Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
    	FAILED for resource: aws_route53_record.local_dns_name
    	File: /deprecated/aws/root-dns/parent-local-ns.tf:1-7
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
    
    		1 | resource "aws_route53_record" "local_dns_name" {
    		2 |   zone_id = aws_route53_zone.parent_dns_zone.zone_id
    		3 |   name    = "local"
    		4 |   type    = "A"
    		5 |   ttl     = "30"
    		6 |   records = ["127.0.0.1"]
    		7 | }
    
    Check: CKV2_AWS_23: "Route53 A Record has Attached Resource"
    	FAILED for resource: aws_route53_record.local_dns_wildcard
    	File: /deprecated/aws/root-dns/parent-local-ns.tf:9-15
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-route53-a-record-has-an-attached-resource.html
    
    		9  | resource "aws_route53_record" "local_dns_wildcard" {
    		10 |   zone_id = aws_route53_zone.parent_dns_zone.zone_id
    		11 |   name    = "*.local"
    		12 |   type    = "A"
    		13 |   ttl     = "30"
    		14 |   records = ["127.0.0.1"]
    		15 | }
    
    Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
    	FAILED for resource: aws_security_group.default
    	File: /modules/ecs/main.tf:30-35
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis.html
    
    		30 | resource "aws_security_group" "default" {
    		31 |   count       = local.enabled ? 1 : 0
    		32 |   name        = module.this.id
    		33 |   description = "ECS cluster EC2 autoscale capacity providers"
    		34 |   vpc_id      = module.vpc.outputs.vpc_id
    		35 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.dns_zone
    	File: /deprecated/aws/account-dns/main.tf:22-24
    
    		22 | resource "aws_route53_zone" "dns_zone" {
    		23 |   name = var.domain_name
    		24 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.parent_dns_zone
    	File: /deprecated/aws/root-dns/parent.tf:6-9
    
    		6 | resource "aws_route53_zone" "parent_dns_zone" {
    		7 |   name    = var.parent_domain_name
    		8 |   comment = "Parent domain name"
    		9 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.root_dns_zone
    	File: /deprecated/aws/root-dns/root.tf:6-9
    
    		6 | resource "aws_route53_zone" "root_dns_zone" {
    		7 |   name    = var.root_domain_name
    		8 |   comment = "DNS Zone for Root Account"
    		9 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.default
    	File: /modules/dns-delegated/main.tf:17-25
    
    		17 | resource "aws_route53_zone" "default" {
    		18 |   for_each = local.public_enabled ? local.zone_map : {}
    		19 | 
    		20 |   name    = format("%s.%s", each.key, each.value)
    		21 |   comment = format("DNS zone for %s.%s", each.key, each.value)
    		22 | 
    		23 | 
    		24 |   tags = module.this.tags
    		25 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.private
    	File: /modules/dns-delegated/main.tf:27-54
    
    		27 | resource "aws_route53_zone" "private" {
    		28 |   for_each = local.private_enabled ? local.zone_map : {}
    		29 | 
    		30 |   name    = format("%s.%s", each.key, each.value)
    		31 |   comment = format("DNS zone for %s.%s", each.key, each.value)
    		32 | 
    		33 |   # The reason why this isn't in the original route53 zone is because this shows up as an update
    		34 |   # when the aws provider should replace it. Using a separate resource allows the user to toggle
    		35 |   # between private and public without manual targeted destroys.
    		36 |   # See: https://github.com/hashicorp/terraform-provider-aws/issues/7614
    		37 |   dynamic "vpc" {
    		38 |     for_each = local.private_enabled ? [true] : []
    		39 | 
    		40 |     content {
    		41 |       vpc_id = module.vpc[var.vpc_primary_environment_name].outputs.vpc_id
    		42 |     }
    		43 |   }
    		44 | 
    		45 |   tags = module.this.tags
    		46 | 
    		47 |   # Prevent the deletion of associated VPCs after
    		48 |   # the initial creation. See documentation on
    		49 |   # aws_route53_zone_association for details
    		50 |   # See https://github.com/hashicorp/terraform-provider-aws/issues/14872#issuecomment-682008493
    		51 |   lifecycle {
    		52 |     ignore_changes = [vpc]
    		53 |   }
    		54 | }
    
    Check: CKV2_AWS_38: "Ensure Domain Name System Security Extensions (DNSSEC) signing is enabled for Amazon Route 53 public hosted zones"
    	FAILED for resource: aws_route53_zone.root
    	File: /modules/dns-primary/main.tf:7-13
    
    		7  | resource "aws_route53_zone" "root" {
    		8  |   for_each = local.domains_set
    		9  | 
    		10 |   name    = each.value
    		11 |   comment = "DNS zone for the ${each.value} root domain"
    		12 |   tags    = module.this.tags
    		13 | }
    
    dockerfile scan results:
    
    Passed checks: 136, Failed checks: 4, Skipped checks: 0
    
    Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
    	FAILED for resource: /Dockerfile.
    	File: /Dockerfile:1-3
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created.html
    
    		1 | FROM scratch
    		2 | COPY modules/ /modules
    		3 | WORKDIR /modules
    
    Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
    	FAILED for resource: /Dockerfile.
    	File: /Dockerfile:1-3
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
    
    		1 | FROM scratch
    		2 | COPY modules/ /modules
    		3 | WORKDIR /modules
    
    Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
    	FAILED for resource: /deprecated/github-actions-runner/runners/runner/Dockerfile.
    	File: /deprecated/github-actions-runner/runners/runner/Dockerfile:1-34
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images.html
    
    		1  | ARG VERSION=2.281.0-ubuntu-20.04
    		2  | 
    		3  | FROM summerwind/actions-runner-dind:v$VERSION
    		4  | 
    		5  | # We want to ignore the metadata server, which would normally have high priority,
    		6  | # because we want to pick up the EKS Service Account role, not the EC2 instance profile role
    		7  | ENV AWS_EC2_METADATA_DISABLED=true
    		8  | 
    		9  | # We are not using ~/.aws/config or ~/.aws/credentials so we want to prevent
    		10 | # the AWS SDK from looking for or at them (and complaining they do not exist)
    		11 | ENV AWS_SDK_LOAD_CONFIG=false
    		12 | 
    		13 | ARG ECR_CREDENTIAL_HELPER_VERSION=0.5.0
    		14 | RUN sudo wget -nv https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_CREDENTIAL_HELPER_VERSION}/linux-amd64/docker-credential-ecr-login \
    		15 |     -O /usr/local/bin/docker-credential-ecr-login && \
    		16 |     sudo chmod a+x /usr/local/bin/docker-credential-ecr-login
    		17 | 
    		18 | USER root
    		19 | 
    		20 | ENV TERM=dumb
    		21 | 
    		22 | # Add CloudPosse package repo
    		23 | RUN apt-get update && apt-get install -y apt-utils && apt-get install -y curl
    		24 | RUN curl -1sLf 'https://dl.cloudsmith.io/public/cloudposse/packages/cfg/setup/bash.deb.sh' | bash
    		25 | 
    		26 | # Install Chamber
    		27 | RUN apt-get install -y awscli chamber
    		28 | 
    		29 | COPY docker-config.json /home/runner/.docker/config.json
    		30 | 
    		31 | RUN chown -R runner:root /home/runner
    		32 | 
    		33 | USER runner
    		34 | RUN id
    
    Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
    	FAILED for resource: /deprecated/github-actions-runner/runners/runner/Dockerfile.RUN
    	File: /deprecated/github-actions-runner/runners/runner/Dockerfile:14-16
    
    		14 | RUN sudo wget -nv https://amazon-ecr-credential-helper-releases.s3.us-east-2.amazonaws.com/${ECR_CREDENTIAL_HELPER_VERSION}/linux-amd64/docker-credential-ecr-login \
    		15 |     -O /usr/local/bin/docker-credential-ecr-login && \
    		16 |     sudo chmod a+x /usr/local/bin/docker-credential-ecr-login
    
    secrets scan results:
    
    Passed checks: 0, Failed checks: 3, Skipped checks: 0
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: 949ff93e118b74f9152192169c7a7b232a1eb9df
    	File: /deprecated/aws/kops/main.tf:53-54
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		53 |   ssh_private_key_name = "kops_***************"
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: 70bacdd84f4fbfd92520369b572b7806b85d51c5
    	File: /modules/eks/cert-manager/cert-manager-issuer/values.yaml:5-6
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		5 | selfsigned_secretname: ca*********
    
    Check: CKV_SECRET_6: "Base64 High Entropy String"
    	FAILED for resource: 8278de8619381b204fb63e28d383fd4cd5c64b83
    	File: /modules/eks/external-secrets-operator/examples/external-secrets.yaml:16-17
    	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/secrets-policies/secrets-policy-index/git-secrets-6.html
    
    		16 |   - secretKey: go*********
    
    github_actions scan results:
    
    Passed checks: 124, Failed checks: 4, Skipped checks: 0
    
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(pre-commit-check-and-autocommit-changes)
    	File: /.github/workflows/pre-commit-check-and-autocommit-changes.yaml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(bats)
    	File: /.github/workflows/bats.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(Validate Codeowners)
    	File: /.github/workflows/validate-codeowners.yml:0-1
    Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
    	FAILED for resource: on(auto-release)
    	File: /.github/workflows/auto-release.yml:0-1
    
    
                    
                  

    Linting

    This repository failed the Experience Builder Terraform Module's Linting validation. This means that a linting tool was not found to be implemented in any of the CICD tool configuration files in the repository.

    There is an opportunity to: