turn on include_subdomains by ttipler · Pull Request #16953 · ministryofjustice/modernisation-platform-environments

ttipler · 2026-06-01T15:29:06Z

No description provided.

github-actions · 2026-06-02T12:47:07Z

⚠️ Binary or Archive Files Detected

The following files match binary or archive extensions:

terraform/environments/youth-justice-app-framework/lambda_code/malware-threat-notifier.zip (Extension: .zip, Size: 0MB)

The Modernisation Platform Team urge you to consider storing these files outside of this git repository for the following reasons:

These file types are often large, which can bloat the repository and slow down cloning and fetching for all users.
Storing such files in git goes against best practices; they are better managed in object storage (e.g. S3 or artifact repositories).
Binary and archive files cannot be efficiently diffed or merged, making code review and collaboration difficult.

If you believe these files are necessary, please contact the Modernisation Platform Team for a review.

github-actions · 2026-06-08T11:20:08Z

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/youth-justice-app-framework
terraform/environments/youth-justice-app-framework/modules/aurora
terraform/environments/youth-justice-app-framework/modules/cloudfront

*****************************

Running Checkov in terraform/environments/youth-justice-app-framework
terraform scan results:

Passed checks: 1386, Failed checks: 2, Skipped checks: 235

Check: CKV_AWS_297: "Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)"
	FAILED for resource: module.aurora.aws_scheduler_schedule.rds_start
	File: /modules/aurora/event_scheduler.tf:36-54
	Calling File: /aurora.tf:13-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-297

		36 | resource "aws_scheduler_schedule" "rds_start" {
		37 |   count                        = var.create_sheduler ? 1 : 0
		38 |   name                         = "rds-start-weekdays"
		39 |   schedule_expression_timezone = "Europe/London"
		40 |   schedule_expression          = "cron(0 7 ? * MON-FRI *)"
		41 |
		42 |   flexible_time_window {
		43 |     mode = "OFF"
		44 |   }
		45 |
		46 |   target {
		47 |     arn      = "arn:aws:scheduler:::aws-sdk:rds:startDBCluster"
		48 |     role_arn = aws_iam_role.rds_scheduler[0].arn
		49 |
		50 |     input = jsonencode({
		51 |       DbClusterIdentifier = var.name
		52 |     })
		53 |   }
		54 | }

Check: CKV_AWS_297: "Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)"
	FAILED for resource: module.aurora.aws_scheduler_schedule.rds_stop
	File: /modules/aurora/event_scheduler.tf:57-75
	Calling File: /aurora.tf:13-126
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-297

		57 | resource "aws_scheduler_schedule" "rds_stop" {
		58 |   count                        = var.create_sheduler ? 1 : 0
		59 |   name                         = "rds-stop-weekdays"
		60 |   schedule_expression_timezone = "Europe/London"
		61 |   schedule_expression          = "cron(0 20 ? * MON-FRI *)"
		62 |
		63 |   flexible_time_window {
		64 |     mode = "OFF"
		65 |   }
		66 |
		67 |   target {
		68 |     arn      = "arn:aws:scheduler:::aws-sdk:rds:stopDBCluster"
		69 |     role_arn = aws_iam_role.rds_scheduler[0].arn
		70 |
		71 |     input = jsonencode({
		72 |       DbClusterIdentifier = var.name
		73 |     })
		74 |   }
		75 | }

terraform_plan scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 0, Parsing errors: 6

secrets scan results:

Passed checks: 0, Failed checks: 0, Skipped checks: 1


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/youth-justice-app-framework/modules/aurora
terraform scan results:

Passed checks: 47, Failed checks: 2, Skipped checks: 9

Check: CKV_AWS_297: "Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)"
	FAILED for resource: aws_scheduler_schedule.rds_start[0]
	File: /event_scheduler.tf:36-54
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-297

		36 | resource "aws_scheduler_schedule" "rds_start" {
		37 |   count                        = var.create_sheduler ? 1 : 0
		38 |   name                         = "rds-start-weekdays"
		39 |   schedule_expression_timezone = "Europe/London"
		40 |   schedule_expression          = "cron(0 7 ? * MON-FRI *)"
		41 |
		42 |   flexible_time_window {
		43 |     mode = "OFF"
		44 |   }
		45 |
		46 |   target {
		47 |     arn      = "arn:aws:scheduler:::aws-sdk:rds:startDBCluster"
		48 |     role_arn = aws_iam_role.rds_scheduler[0].arn
		49 |
		50 |     input = jsonencode({
		51 |       DbClusterIdentifier = var.name
		52 |     })
		53 |   }
		54 | }

Check: CKV_AWS_297: "Ensure EventBridge Scheduler Schedule uses Customer Managed Key (CMK)"
	FAILED for resource: aws_scheduler_schedule.rds_stop[0]
	File: /event_scheduler.tf:57-75
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-297

		57 | resource "aws_scheduler_schedule" "rds_stop" {
		58 |   count                        = var.create_sheduler ? 1 : 0
		59 |   name                         = "rds-stop-weekdays"
		60 |   schedule_expression_timezone = "Europe/London"
		61 |   schedule_expression          = "cron(0 20 ? * MON-FRI *)"
		62 |
		63 |   flexible_time_window {
		64 |     mode = "OFF"
		65 |   }
		66 |
		67 |   target {
		68 |     arn      = "arn:aws:scheduler:::aws-sdk:rds:stopDBCluster"
		69 |     role_arn = aws_iam_role.rds_scheduler[0].arn
		70 |
		71 |     input = jsonencode({
		72 |       DbClusterIdentifier = var.name
		73 |     })
		74 |   }
		75 | }


checkov_exitcode=2

*****************************

Running Checkov in terraform/environments/youth-justice-app-framework/modules/cloudfront
terraform scan results:

Passed checks: 32, Failed checks: 0, Skipped checks: 17


checkov_exitcode=2

`TFLint Scan` Success

Show Output

*****************************

Using default config
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint checking:
terraform/environments/youth-justice-app-framework
terraform/environments/youth-justice-app-framework/modules/aurora
terraform/environments/youth-justice-app-framework/modules/cloudfront

*****************************

Running tflint in terraform/environments/youth-justice-app-framework
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/youth-justice-app-framework/modules/aurora
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/youth-justice-app-framework/modules/cloudfront
tflint_exitcode=0

turn on include_subdomains

4115048

ttipler requested review from a team as code owners June 1, 2026 15:29

github-actions Bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 1, 2026

ttipler temporarily deployed to youth-justice-app-framework-development June 1, 2026 15:32 — with GitHub Actions Inactive

ttipler temporarily deployed to youth-justice-app-framework-test June 1, 2026 15:34 — with GitHub Actions Inactive

ttipler added 3 commits June 2, 2026 12:11

add s3 protection lambda

70d8872

remove malware lambda.py

bfc8a75

add lambda zip file

da2ae54

ttipler temporarily deployed to youth-justice-app-framework-development June 2, 2026 12:50 — with GitHub Actions Inactive

ttipler temporarily deployed to youth-justice-app-framework-test June 2, 2026 12:50 — with GitHub Actions Inactive

turn on cookies for cloudfront

beb1517

ttipler temporarily deployed to youth-justice-app-framework-test June 8, 2026 08:59 — with GitHub Actions Inactive

ttipler temporarily deployed to youth-justice-app-framework-development June 8, 2026 09:00 — with GitHub Actions Inactive

add rds iam permissions for ecs services

ffa86df

ttipler deployed to youth-justice-app-framework-test June 8, 2026 11:22 — with GitHub Actions Active

ttipler deployed to youth-justice-app-framework-development June 8, 2026 11:22 — with GitHub Actions Active

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

turn on include_subdomains#16953

turn on include_subdomains#16953
ttipler wants to merge 6 commits into
mainfrom
OPS-1170

ttipler commented Jun 1, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Jun 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

ttipler commented Jun 1, 2026

Uh oh!

github-actions Bot commented Jun 2, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Binary or Archive Files Detected

Uh oh!

github-actions Bot commented Jun 8, 2026

Checkov Scan Success

TFLint Scan Success

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

github-actions Bot commented Jun 2, 2026 •

edited

Loading

`Checkov Scan` Success

`TFLint Scan` Success