EM feat: add test lab db by matt-heery · Pull Request #16883 · ministryofjustice/modernisation-platform-environments

matt-heery · 2026-05-27T09:49:41Z

No description provided.

github-actions · 2026-05-27T09:51:44Z

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/electronic-monitoring-data

*****************************

Running Checkov in terraform/environments/electronic-monitoring-data
2026-05-27 09:51:07,122 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=d88bd90): list index out of range
2026-05-27 09:51:07,122 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-bastion-linux?ref=1eaf3c9): list index out of range
2026-05-27 09:51:07,122 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-aws-chatbot?ref=0ec33c7bfde5649af3c23d0834ea85c849edf3ac): list index out of range
2026-05-27 09:51:07,122 [MainThread  ] [WARNI]  Unable to load module (terraform-aws-modules/secrets-manager/aws): list index out of range
2026-05-27 09:51:07,122 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=9facf9f): list index out of range
2026-05-27 09:51:07,122 [MainThread  ] [WARNI]  Unable to load module (terraform-aws-modules/iam/aws//modules/iam-policy): list index out of range
2026-05-27 09:51:07,122 [MainThread  ] [WARNI]  Unable to load module (terraform-aws-modules/iam/aws//modules/iam-role): list index out of range
terraform scan results:

Passed checks: 6584, Failed checks: 61, Skipped checks: 270

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.cloudwatch
	File: /api_gateway.tf:99-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		99  | data "aws_iam_policy_document" "cloudwatch" {
		100 |   statement {
		101 |     effect = "Allow"
		102 |
		103 |     actions = [
		104 |       "logs:CreateLogGroup",
		105 |       "logs:CreateLogStream",
		106 |       "logs:DescribeLogGroups",
		107 |       "logs:DescribeLogStreams",
		108 |       "logs:PutLogEvents",
		109 |       "logs:GetLogEvents",
		110 |       "logs:FilterLogEvents",
		111 |     ]
		112 |
		113 |     resources = ["*"]
		114 |   }
		115 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.cloudwatch
	File: /api_gateway.tf:99-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		99  | data "aws_iam_policy_document" "cloudwatch" {
		100 |   statement {
		101 |     effect = "Allow"
		102 |
		103 |     actions = [
		104 |       "logs:CreateLogGroup",
		105 |       "logs:CreateLogStream",
		106 |       "logs:DescribeLogGroups",
		107 |       "logs:DescribeLogStreams",
		108 |       "logs:PutLogEvents",
		109 |       "logs:GetLogEvents",
		110 |       "logs:FilterLogEvents",
		111 |     ]
		112 |
		113 |     resources = ["*"]
		114 |   }
		115 | }

Check: CKV_AWS_319: "Ensure that CloudWatch alarm actions are enabled"
	FAILED for resource: aws_cloudwatch_metric_alarm.sqs_dlq_has_messages
	File: /cloudwatch-alarms.tf:61-95
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-319

		61 | resource "aws_cloudwatch_metric_alarm" "sqs_dlq_has_messages" {
		62 |   for_each = local.sqs_dlq_alarm_queues
		63 |
		64 |   alarm_name = try(
		65 |     each.value.alarm_name,
		66 |     "${replace(each.value.queue_name, "-", "_")}_has_messages"
		67 |   )
		68 |
		69 |   alarm_description = try(
		70 |     each.value.alarm_description,
		71 |     "Triggered when ${each.value.queue_name} contains messages"
		72 |   )
		73 |
		74 |   comparison_operator = "GreaterThanThreshold"
		75 |   evaluation_periods  = 1
		76 |   threshold           = 0
		77 |   treat_missing_data  = "notBreaching"
		78 |
		79 |   # Use EventBridge -> cloudwatch_alarm_threader -> SNS custom notifications.
		80 |   # Disable direct alarm actions to avoid duplicate Slack messages.
		81 |   actions_enabled = false
		82 |
		83 |   metric_name = "ApproximateNumberOfMessagesVisible"
		84 |   namespace   = "AWS/SQS"
		85 |   period      = 60
		86 |   statistic   = "Sum"
		87 |
		88 |   dimensions = {
		89 |     QueueName = each.value.queue_name
		90 |   }
		91 |
		92 |   alarm_actions = [
		93 |     aws_sns_topic.emds_alerts.arn
		94 |   ]
		95 | }

Check: CKV_AWS_319: "Ensure that CloudWatch alarm actions are enabled"
	FAILED for resource: aws_cloudwatch_metric_alarm.mdss_reconciler_errors_alarm[0]
	File: /cloudwatch-alarms.tf:97-120
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-319

		97  | resource "aws_cloudwatch_metric_alarm" "mdss_reconciler_errors_alarm" {
		98  |   count               = 1
		99  |   alarm_name          = "mdss_reconciler_errors"
		100 |   alarm_description   = "Triggered when the mdss_reconciler Lambda records errors"
		101 |   comparison_operator = "GreaterThanThreshold"
		102 |   evaluation_periods  = 1
		103 |   threshold           = 0
		104 |   treat_missing_data  = "notBreaching"
		105 |
		106 |   actions_enabled = false
		107 |
		108 |   metric_name = "Errors"
		109 |   namespace   = "AWS/Lambda"
		110 |   period      = 60
		111 |   statistic   = "Sum"
		112 |
		113 |   dimensions = {
		114 |     FunctionName = module.mdss_load_redrive_controller[0].lambda_function_name
		115 |   }
		116 |
		117 |   alarm_actions = [
		118 |     aws_sns_topic.emds_alerts.arn
		119 |   ]
		120 | }

Check: CKV_AWS_319: "Ensure that CloudWatch alarm actions are enabled"
	FAILED for resource: aws_cloudwatch_metric_alarm.glue_database_count_high
	File: /cloudwatch-alarms.tf:122-144
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-319

		122 | resource "aws_cloudwatch_metric_alarm" "glue_database_count_high" {
		123 |   alarm_name          = "glue_database_count_high"
		124 |   alarm_description   = "Triggered when Glue database count is above 8000 (approaching 10k limit)"
		125 |   comparison_operator = "GreaterThanThreshold"
		126 |   evaluation_periods  = 1
		127 |   threshold           = 8000
		128 |   treat_missing_data  = "notBreaching"
		129 |
		130 |   actions_enabled = false
		131 |
		132 |   metric_name = "GlueDatabaseCount"
		133 |   namespace   = "EMDS/Glue"
		134 |   period      = 300
		135 |   statistic   = "Maximum"
		136 |
		137 |   dimensions = {
		138 |     Environment = local.environment_shorthand
		139 |   }
		140 |
		141 |   alarm_actions = [
		142 |     aws_sns_topic.emds_alerts.arn
		143 |   ]
		144 | }
Check: CKV_AWS_79: "Ensure Instance Metadata Service Version 1 is not enabled"
	FAILED for resource: aws_launch_template.shred_unstructured_from_zip_batch_storage_template
	File: /gdpr_batch_jobs.tf:155-167
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-31

		155 | resource "aws_launch_template" "shred_unstructured_from_zip_batch_storage_template" {
		156 |   name_prefix = "shred-unstructured-from-zip-"
		157 |
		158 |   block_device_mappings {
		159 |     device_name = "/dev/xvda"
		160 |     ebs {
		161 |       volume_size           = 1500
		162 |       volume_type           = "gp3"
		163 |       delete_on_termination = true
		164 |       encrypted             = true
		165 |     }
		166 |   }
		167 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.gdpr_batch_jobs_logs_policy_document
	File: /gdpr_batch_jobs.tf:238-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		238 | data "aws_iam_policy_document" "gdpr_batch_jobs_logs_policy_document" {
		239 |   statement {
		240 |     effect = "Allow"
		241 |     actions = [
		242 |       "logs:CreateLogStream",
		243 |       "logs:PutLogEvents",
		244 |     ]
		245 |     resources = ["*"]
		246 |   }
		247 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.gdpr_batch_jobs_logs_policy_document
	File: /gdpr_batch_jobs.tf:238-247
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		238 | data "aws_iam_policy_document" "gdpr_batch_jobs_logs_policy_document" {
		239 |   statement {
		240 |     effect = "Allow"
		241 |     actions = [
		242 |       "logs:CreateLogStream",
		243 |       "logs:PutLogEvents",
		244 |     ]
		245 |     resources = ["*"]
		246 |   }
		247 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.gdpr_batch_jobs_ecr_policy_document
	File: /gdpr_batch_jobs.tf:259-270
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		259 | data "aws_iam_policy_document" "gdpr_batch_jobs_ecr_policy_document" {
		260 |   statement {
		261 |     effect = "Allow"
		262 |     actions = [
		263 |       "ecr:GetAuthorizationToken",
		264 |       "ecr:BatchCheckLayerAvailability",
		265 |       "ecr:GetDownloadUrlForLayer",
		266 |       "ecr:BatchGetImage"
		267 |     ]
		268 |     resources = ["*"]
		269 |   }
		270 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.ecs_execution_policy
	File: /gdpr_jobs.tf:25-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		25 | data "aws_iam_policy_document" "ecs_execution_policy" {
		26 |   statement {
		27 |     effect = "Allow"
		28 |     actions = [
		29 |       "ecs:*",
		30 |       "elasticloadbalancing:*",
		31 |       "cloudwatch:*",
		32 |       "logs:*"
		33 |     ]
		34 |     resources = ["*"]
		35 |   }
		36 |
		37 |   statement {
		38 |     effect = "Allow"
		39 |     actions = [
		40 |       "ecr:GetAuthorizationToken"
		41 |     ]
		42 |     resources = ["*"]
		43 |   }
		44 |
		45 |   statement {
		46 |     effect = "Allow"
		47 |     actions = [
		48 |       "ecr:BatchCheckLayerAvailability",
		49 |       "ecr:GetDownloadUrlForLayer",
		50 |       "ecr:BatchGetImage"
		51 |     ]
		52 |     resources = ["*"]
		53 |   }
		54 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ecs_execution_policy
	File: /gdpr_jobs.tf:25-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		25 | data "aws_iam_policy_document" "ecs_execution_policy" {
		26 |   statement {
		27 |     effect = "Allow"
		28 |     actions = [
		29 |       "ecs:*",
		30 |       "elasticloadbalancing:*",
		31 |       "cloudwatch:*",
		32 |       "logs:*"
		33 |     ]
		34 |     resources = ["*"]
		35 |   }
		36 |
		37 |   statement {
		38 |     effect = "Allow"
		39 |     actions = [
		40 |       "ecr:GetAuthorizationToken"
		41 |     ]
		42 |     resources = ["*"]
		43 |   }
		44 |
		45 |   statement {
		46 |     effect = "Allow"
		47 |     actions = [
		48 |       "ecr:BatchCheckLayerAvailability",
		49 |       "ecr:GetDownloadUrlForLayer",
		50 |       "ecr:BatchGetImage"
		51 |     ]
		52 |     resources = ["*"]
		53 |   }
		54 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.gdpr_structured_job_policy_document
	File: /gdpr_jobs.tf:82-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.gdpr_structured_job_policy_document
	File: /gdpr_jobs.tf:82-140
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.process_fms_metadata_lambda_role_policy_document
	File: /lambdas_iam.tf:581-623
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		581 | data "aws_iam_policy_document" "process_fms_metadata_lambda_role_policy_document" {
		582 |   statement {
		583 |     sid    = "S3Permissions"
		584 |     effect = "Allow"
		585 |     actions = [
		586 |       "s3:GetObject",
		587 |       "s3:GetBucketLocation",
		588 |       "s3:ListBucket",
		589 |       "s3:PutObject",
		590 |     ]
		591 |     resources = [
		592 |       "${module.s3-data-bucket.bucket.arn}/*",
		593 |       module.s3-data-bucket.bucket.arn,
		594 |     ]
		595 |   }
		596 |   statement {
		597 |     sid    = "SQSQueuePermissions"
		598 |     effect = "Allow"
		599 |     actions = [
		600 |       "sqs:SendMessage"
		601 |     ]
		602 |     resources = [
		603 |       aws_sqs_queue.format_fms_json_event_queue.arn
		604 |     ]
		605 |   }
		606 |   statement {
		607 |     sid    = "AllowPublishToAlertsTopic"
		608 |     effect = "Allow"
		609 |     actions = [
		610 |       "sns:Publish",
		611 |     ]
		612 |     resources = [aws_sns_topic.emds_alerts.arn]
		613 |   }
		614 |   statement {
		615 |     sid    = "AllowLambdaToUseKey"
		616 |     effect = "Allow"
		617 |     actions = [
		618 |       "kms:GenerateDataKey",
		619 |       "kms:Decrypt"
		620 |     ]
		621 |     resources = ["*"]
		622 |   }
		623 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.process_fms_metadata_lambda_role_policy_document
	File: /lambdas_iam.tf:581-623
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		581 | data "aws_iam_policy_document" "process_fms_metadata_lambda_role_policy_document" {
		582 |   statement {
		583 |     sid    = "S3Permissions"
		584 |     effect = "Allow"
		585 |     actions = [
		586 |       "s3:GetObject",
		587 |       "s3:GetBucketLocation",
		588 |       "s3:ListBucket",
		589 |       "s3:PutObject",
		590 |     ]
		591 |     resources = [
		592 |       "${module.s3-data-bucket.bucket.arn}/*",
		593 |       module.s3-data-bucket.bucket.arn,
		594 |     ]
		595 |   }
		596 |   statement {
		597 |     sid    = "SQSQueuePermissions"
		598 |     effect = "Allow"
		599 |     actions = [
		600 |       "sqs:SendMessage"
		601 |     ]
		602 |     resources = [
		603 |       aws_sqs_queue.format_fms_json_event_queue.arn
		604 |     ]
		605 |   }
		606 |   statement {
		607 |     sid    = "AllowPublishToAlertsTopic"
		608 |     effect = "Allow"
		609 |     actions = [
		610 |       "sns:Publish",
		611 |     ]
		612 |     resources = [aws_sns_topic.emds_alerts.arn]
		613 |   }
		614 |   statement {
		615 |     sid    = "AllowLambdaToUseKey"
		616 |     effect = "Allow"
		617 |     actions = [
		618 |       "kms:GenerateDataKey",
		619 |       "kms:Decrypt"
		620 |     ]
		621 |     resources = ["*"]
		622 |   }
		623 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_dms_output_lambda_role_policy_document
	File: /lambdas_iam.tf:647-740
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_mdss_lambda_role_policy_document
	File: /lambdas_iam.tf:778-917
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.load_fms_lambda_role_policy_document
	File: /lambdas_iam.tf:953-1082
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_fms_lambda_role_policy_document
	File: /lambdas_iam.tf:953-1082
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.load_historic_csv_lambda_role_policy_document
	File: /lambdas_iam.tf:1118-1212
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.ears_sars_iam_role_policy_document
	File: /lambdas_iam.tf:1515-1637
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.landing_dlq_redriver_policy_document
	File: /lambdas_iam.tf:2149-2232
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.macie_unstructured_job_iam_role_policy_document
	File: /lambdas_iam.tf:2449-2462
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		2449 | data "aws_iam_policy_document" "macie_unstructured_job_iam_role_policy_document" {
		2450 |   count = local.is-development ? 1 : 0
		2451 |   statement {
		2452 |     sid    = "MacieJobManagement"
		2453 |     effect = "Allow"
		2454 |     actions = [
		2455 |       "macie2:ListClassificationJobs",
		2456 |       "macie2:CreateClassificationJob"
		2457 |     ]
		2458 |     resources = [
		2459 |       "*"
		2460 |     ]
		2461 |   }
		2462 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.macie_unstructured_job_iam_role_policy_document
	File: /lambdas_iam.tf:2449-2462
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		2449 | data "aws_iam_policy_document" "macie_unstructured_job_iam_role_policy_document" {
		2450 |   count = local.is-development ? 1 : 0
		2451 |   statement {
		2452 |     sid    = "MacieJobManagement"
		2453 |     effect = "Allow"
		2454 |     actions = [
		2455 |       "macie2:ListClassificationJobs",
		2456 |       "macie2:CreateClassificationJob"
		2457 |     ]
		2458 |     resources = [
		2459 |       "*"
		2460 |     ]
		2461 |   }
		2462 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: create_p1_export_iam_policy
	File: /lambdas_iam.tf:2078-2088
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2078 | module "create_p1_export_iam_policy" {
		2079 |   source = "terraform-aws-modules/iam/aws//modules/iam-policy"
		2080 |
		2081 |   name        = "create_p1_export"
		2082 |   path        = "/"
		2083 |   description = "Policy for creating P1 export"
		2084 |
		2085 |   policy = data.aws_iam_policy_document.p1_export_airflow.json
		2086 |
		2087 |   tags = local.tags
		2088 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: create_p1_export_iam_policy
	File: /lambdas_iam.tf:2078-2088
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		2078 | module "create_p1_export_iam_policy" {
		2079 |   source = "terraform-aws-modules/iam/aws//modules/iam-policy"
		2080 |
		2081 |   name        = "create_p1_export"
		2082 |   path        = "/"
		2083 |   description = "Policy for creating P1 export"
		2084 |
		2085 |   policy = data.aws_iam_policy_document.p1_export_airflow.json
		2086 |
		2087 |   tags = local.tags
		2088 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: create_p1_export_iam_role
	File: /lambdas_iam.tf:2090-2114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		2090 | module "create_p1_export_iam_role" {
		2091 |   source = "terraform-aws-modules/iam/aws//modules/iam-role"
		2092 |
		2093 |   name = "create_p1_export"
		2094 |
		2095 |   trust_policy_permissions = {
		2096 |     TrustRoleAndServiceToAssume = {
		2097 |       actions = [
		2098 |         "sts:AssumeRole",
		2099 |       ]
		2100 |       principals = [{
		2101 |         type = "Service"
		2102 |         identifiers = [
		2103 |           "lambda.amazonaws.com",
		2104 |         ]
		2105 |       }]
		2106 |     }
		2107 |   }
		2108 |
		2109 |   policies = {
		2110 |     main_policy = module.create_p1_export_iam_policy.arn
		2111 |   }
		2112 |
		2113 |   tags = local.tags
		2114 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: create_p1_export_iam_role
	File: /lambdas_iam.tf:2090-2114
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		2090 | module "create_p1_export_iam_role" {
		2091 |   source = "terraform-aws-modules/iam/aws//modules/iam-role"
		2092 |
		2093 |   name = "create_p1_export"
		2094 |
		2095 |   trust_policy_permissions = {
		2096 |     TrustRoleAndServiceToAssume = {
		2097 |       actions = [
		2098 |         "sts:AssumeRole",
		2099 |       ]
		2100 |       principals = [{
		2101 |         type = "Service"
		2102 |         identifiers = [
		2103 |           "lambda.amazonaws.com",
		2104 |         ]
		2105 |       }]
		2106 |     }
		2107 |   }
		2108 |
		2109 |   policies = {
		2110 |     main_policy = module.create_p1_export_iam_policy.arn
		2111 |   }
		2112 |
		2113 |   tags = local.tags
		2114 | }

Check: CKV_AWS_297: "Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)"
	FAILED for resource: aws_scheduler_schedule.mdss_daily_failure_digest
	File: /lambdas_main.tf:608-623
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-297

		608 | resource "aws_scheduler_schedule" "mdss_daily_failure_digest" {
		609 |   name        = "mdss_daily_failure_digest_0800"
		610 |   description = "Runs mdss_daily_failure_digest daily at 08:00 Europe/London"
		611 |
		612 |   flexible_time_window {
		613 |     mode = "OFF"
		614 |   }
		615 |
		616 |   schedule_expression          = "cron(0 8 * * ? *)"
		617 |   schedule_expression_timezone = "Europe/London"
		618 |
		619 |   target {
		620 |     arn      = module.live_feed_daily_handover.lambda_function_arn
		621 |     role_arn = aws_iam_role.mdss_daily_failure_digest_scheduler.arn
		622 |   }
		623 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.load_fms_lambda.aws_cloudwatch_log_group.lambda_cloudwatch_group
	File: /modules/lambdas/main.tf:140-144
	Calling File: /lambdas_main.tf:388-413
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		140 | resource "aws_cloudwatch_log_group" "lambda_cloudwatch_group" {
		141 |   name              = "/aws/lambda/${var.function_name}"
		142 |   retention_in_days = var.cloudwatch_retention_days
		143 |   kms_key_id        = aws_kms_key.lambda_env_key.arn
		144 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.load_mdss_lambda.aws_cloudwatch_log_group.lambda_cloudwatch_group
	File: /modules/lambdas/main.tf:140-144
	Calling File: /lambdas_main.tf:354-382
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		140 | resource "aws_cloudwatch_log_group" "lambda_cloudwatch_group" {
		141 |   name              = "/aws/lambda/${var.function_name}"
		142 |   retention_in_days = var.cloudwatch_retention_days
		143 |   kms_key_id        = aws_kms_key.lambda_env_key.arn
		144 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.merge_ac_position.aws_cloudwatch_log_group.lambda_cloudwatch_group
	File: /modules/lambdas/main.tf:140-144
	Calling File: /lambdas_main.tf:946-966
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		140 | resource "aws_cloudwatch_log_group" "lambda_cloudwatch_group" {
		141 |   name              = "/aws/lambda/${var.function_name}"
		142 |   retention_in_days = var.cloudwatch_retention_days
		143 |   kms_key_id        = aws_kms_key.lambda_env_key.arn
		144 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.merge_mdss_staged_event.aws_cloudwatch_log_group.lambda_cloudwatch_group
	File: /modules/lambdas/main.tf:140-144
	Calling File: /lambdas_main.tf:902-922
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		140 | resource "aws_cloudwatch_log_group" "lambda_cloudwatch_group" {
		141 |   name              = "/aws/lambda/${var.function_name}"
		142 |   retention_in_days = var.cloudwatch_retention_days
		143 |   kms_key_id        = aws_kms_key.lambda_env_key.arn
		144 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.merge_mdss_staged_position.aws_cloudwatch_log_group.lambda_cloudwatch_group
	File: /modules/lambdas/main.tf:140-144
	Calling File: /lambdas_main.tf:924-944
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		140 | resource "aws_cloudwatch_log_group" "lambda_cloudwatch_group" {
		141 |   name              = "/aws/lambda/${var.function_name}"
		142 |   retention_in_days = var.cloudwatch_retention_days
		143 |   kms_key_id        = aws_kms_key.lambda_env_key.arn
		144 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.s3-fms-general-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:629-651
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.s3-fms-general-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:629-651
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.s3-fms-ho-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:666-688
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.s3-fms-ho-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:666-688
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.s3-fms-specials-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:703-725
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.s3-fms-specials-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:703-725
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.s3-mdss-general-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:744-767
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.s3-mdss-general-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:744-767
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.s3-mdss-ho-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:769-792
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.s3-mdss-ho-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:769-792
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.s3-mdss-specials-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:794-817
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.s3-mdss-specials-landing-bucket.aws_iam_policy_document.replication-policy
	File: /modules/landing_bucket/cross_account_copy.tf:34-102
	Calling File: /s3.tf:794-817
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_380: "Ensure AWS Transfer Server uses latest Security Policy"
	FAILED for resource: aws_transfer_server.this
	File: /modules/landing_zone/main.tf:144-180
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/bc-aws-380

		144 | resource "aws_transfer_server" "this" {
		145 |   protocols              = ["SFTP"]
		146 |   identity_provider_type = "SERVICE_MANAGED"
		147 |
		148 |   endpoint_type = "VPC"
		149 |   endpoint_details {
		150 |     vpc_id                 = var.vpc_id
		151 |     subnet_ids             = var.subnet_ids
		152 |     address_allocation_ids = [aws_eip.this.id]
		153 |     security_group_ids     = local.landing_zone_security_group_ids
		154 |   }
		155 |
		156 |   domain = "S3"
		157 |
		158 |   security_policy_name = "TransferSecurityPolicy-2024-01"
		159 |
		160 |   pre_authentication_login_banner = "\nHello there\n"
		161 |
		162 |   workflow_details {
		163 |     on_upload {
		164 |       workflow_id    = aws_transfer_workflow.this.id
		165 |       execution_role = aws_iam_role.this_transfer_workflow.arn
		166 |     }
		167 |   }
		168 |
		169 |   logging_role = aws_iam_role.iam_for_transfer.arn
		170 |   structured_log_destinations = [
		171 |     "${aws_cloudwatch_log_group.this.arn}:*"
		172 |   ]
		173 |
		174 |   tags = merge(
		175 |     var.local_tags,
		176 |     {
		177 |       supplier = var.supplier,
		178 |     },
		179 |   )
		180 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: cross_account_details
	File: /secrets.tf:56-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		56 | module "cross_account_details" {
		57 |   count  = local.is-preproduction || local.is-test || local.is-production ? 1 : 0
		58 |   source = "terraform-aws-modules/secrets-manager/aws"
		59 |
		60 |   name_prefix             = "cross_account_details"
		61 |   description             = "Details for cross account share"
		62 |   recovery_window_in_days = 30
		63 |
		64 |   create_policy       = true
		65 |   block_public_policy = true
		66 |   policy_statements = {
		67 |     read = {
		68 |       sid = "AllowAccountRead"
		69 |       principals = [{
		70 |         type        = "AWS"
		71 |         identifiers = ["arn:aws:iam::${local.env_account_id}:root"]
		72 |       }]
		73 |       actions   = ["secretsmanager:GetSecretValue"]
		74 |       resources = ["*"]
		75 |     }
		76 |   }
		77 |
		78 |   ignore_secret_changes = true
		79 |   secret_string = jsonencode({
		80 |     fms_general_bucket   = ""
		81 |     fms_general_kms_id   = ""
		82 |     fms_ho_bucket        = ""
		83 |     fms_ho_kms_id        = ""
		84 |     fms_specials_bucket  = ""
		85 |     fms_specials_kms_id  = ""
		86 |     mdss_general_bucket  = ""
		87 |     mdss_general_kms_id  = ""
		88 |     mdss_specials_bucket = ""
		89 |     mdss_specials_kms_id = ""
		90 |     mdss_ho_bucket       = ""
		91 |     mdss_ho_kms_id       = ""
		92 |     account_id           = ""
		93 |   })
		94 |
		95 |   tags = local.tags
		96 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: cross_account_details
	File: /secrets.tf:56-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		56 | module "cross_account_details" {
		57 |   count  = local.is-preproduction || local.is-test || local.is-production ? 1 : 0
		58 |   source = "terraform-aws-modules/secrets-manager/aws"
		59 |
		60 |   name_prefix             = "cross_account_details"
		61 |   description             = "Details for cross account share"
		62 |   recovery_window_in_days = 30
		63 |
		64 |   create_policy       = true
		65 |   block_public_policy = true
		66 |   policy_statements = {
		67 |     read = {
		68 |       sid = "AllowAccountRead"
		69 |       principals = [{
		70 |         type        = "AWS"
		71 |         identifiers = ["arn:aws:iam::${local.env_account_id}:root"]
		72 |       }]
		73 |       actions   = ["secretsmanager:GetSecretValue"]
		74 |       resources = ["*"]
		75 |     }
		76 |   }
		77 |
		78 |   ignore_secret_changes = true
		79 |   secret_string = jsonencode({
		80 |     fms_general_bucket   = ""
		81 |     fms_general_kms_id   = ""
		82 |     fms_ho_bucket        = ""
		83 |     fms_ho_kms_id        = ""
		84 |     fms_specials_bucket  = ""
		85 |     fms_specials_kms_id  = ""
		86 |     mdss_general_bucket  = ""
		87 |     mdss_general_kms_id  = ""
		88 |     mdss_specials_bucket = ""
		89 |     mdss_specials_kms_id = ""
		90 |     mdss_ho_bucket       = ""
		91 |     mdss_ho_kms_id       = ""
		92 |     account_id           = ""
		93 |   })
		94 |
		95 |   tags = local.tags
		96 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.em_data_validation_permissions
	File: /share_cloud_platform.tf:222-271
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.em_dashboard_ear_sar_permissions
	File: /share_cloud_platform.tf:273-296
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		273 | data "aws_iam_policy_document" "em_dashboard_ear_sar_permissions" {
		274 |   count = local.is-preproduction ? 1 : 0
		275 |   statement {
		276 |     sid = "AllowAccessToTriggerEARSARAPI"
		277 |     effect = "Allow"
		278 |     actions   = ["execute-api:Invoke"]
		279 |     resources = ["arn:aws:execute-api:${data.aws_region.current.name}:${local.env_account_id}:${module.ears_sars_api[0].api_gateway_id}/*"]
		280 |   }
		281 |   statement {
		282 |     sid       = "ListAccountAliasForEnvironmentClass"
		283 |     effect    = "Allow"
		284 |     actions   = ["iam:ListAccountAliases"]
		285 |     resources = ["*"]
		286 |   }
		287 |   statement {
		288 |     sid    = "ListAllBucketsForEnvironmentClass"
		289 |     effect = "Allow"
		290 |     actions = [
		291 |       "s3:ListAllMyBuckets",
		292 |       "s3:GetBucketLocation"
		293 |     ]
		294 |     resources = ["*"]
		295 |   }
		296 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.emds_alerts_kms
	File: /sns.tf:16-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.emds_alerts_kms
	File: /sns.tf:16-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.emds_alerts_kms
	File: /sns.tf:16-111
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.sns_delivery_logging_policy
	File: /sns.tf:254-264
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		254 | data "aws_iam_policy_document" "sns_delivery_logging_policy" {
		255 |   statement {
		256 |     effect = "Allow"
		257 |     actions = [
		258 |       "logs:CreateLogGroup",
		259 |       "logs:CreateLogStream",
		260 |       "logs:PutLogEvents"
		261 |     ]
		262 |     resources = ["*"]
		263 |   }
		264 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.sns_delivery_logging_policy
	File: /sns.tf:254-264
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		254 | data "aws_iam_policy_document" "sns_delivery_logging_policy" {
		255 |   statement {
		256 |     effect = "Allow"
		257 |     actions = [
		258 |       "logs:CreateLogGroup",
		259 |       "logs:CreateLogStream",
		260 |       "logs:PutLogEvents"
		261 |     ]
		262 |     resources = ["*"]
		263 |   }
		264 | }

Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.staging_db_janitor
	File: /step_functions_main.tf:125-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.staging_db_janitor
	File: /step_functions_main.tf:125-222
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_284: "Ensure State Machine has X-Ray tracing enabled"
	FAILED for resource: aws_sfn_state_machine.landing_dlq_redriver
	File: /step_functions_main.tf:228-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-284

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_285: "Ensure State Machine has execution history logging enabled"
	FAILED for resource: aws_sfn_state_machine.landing_dlq_redriver
	File: /step_functions_main.tf:228-349
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-285

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_5: "Ensure that Security Groups are attached to another resource"
	FAILED for resource: aws_security_group.ecs_generic
	File: /ecs_sg.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-that-security-groups-are-attached-to-ec2-instances-or-elastic-network-interfaces-enis

		1 | resource "aws_security_group" "ecs_generic" {
		2 |   name_prefix = "${local.bucket_prefix}-generic-ecs-sg"
		3 |   description = "Generic ECS Security Group"
		4 |   vpc_id      = data.aws_vpc.shared.id
		5 |
		6 |   lifecycle {
		7 |     create_before_destroy = true
		8 |   }
		9 | }

secrets scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 1


checkov_exitcode=1

`TFLint Scan` Success

Show Output

*****************************

Using default config
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint checking:
terraform/environments/electronic-monitoring-data

*****************************

Running tflint in terraform/environments/electronic-monitoring-data
3 issue(s) found:

Warning: module "create_p1_export_iam_policy" should specify a version (terraform_module_version)

  on terraform/environments/electronic-monitoring-data/lambdas_iam.tf line 2078:
2078: module "create_p1_export_iam_policy" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_version.md

Warning: module "create_p1_export_iam_role" should specify a version (terraform_module_version)

  on terraform/environments/electronic-monitoring-data/lambdas_iam.tf line 2090:
2090: module "create_p1_export_iam_role" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_version.md

Warning: module "cross_account_details" should specify a version (terraform_module_version)

  on terraform/environments/electronic-monitoring-data/secrets.tf line 56:
  56: module "cross_account_details" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_module_version.md

tflint_exitcode=2

feat: add test lab db

f99cead

matt-heery requested review from a team as code owners May 27, 2026 09:49

github-actions Bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label May 27, 2026

matt-heery had a problem deploying to electronic-monitoring-data-test May 27, 2026 09:53 — with GitHub Actions Failure

matt-heery had a problem deploying to electronic-monitoring-data-development May 27, 2026 09:53 — with GitHub Actions Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

EM feat: add test lab db#16883

EM feat: add test lab db#16883
matt-heery wants to merge 1 commit into
mainfrom
add-test-lab-db

matt-heery commented May 27, 2026

Uh oh!

github-actions Bot commented May 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

matt-heery commented May 27, 2026

Uh oh!

github-actions Bot commented May 27, 2026

Checkov Scan Success

TFLint Scan Success

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

`Checkov Scan` Success

`TFLint Scan` Success