Skip to content

Tidy up event logging in integration hub & reinstate s3 objects to trigger moves#17052

Open
dms1981 wants to merge 4 commits into
mainfrom
fix/integration-hub-eventbridge-logging
Open

Tidy up event logging in integration hub & reinstate s3 objects to trigger moves#17052
dms1981 wants to merge 4 commits into
mainfrom
fix/integration-hub-eventbridge-logging

Conversation

@dms1981
Copy link
Copy Markdown
Contributor

@dms1981 dms1981 commented Jun 5, 2026
edited
Loading

:copilot: This pull request body was generated by GitHub Copilot

Summary

This PR reinstates S3 object notifications as the inciting event for file moves from the unscanned bucket into the processing bucket in the Integration Hub managed file transfer environment.

The previous Transfer/EventBridge trigger path introduced an incomplete wiring state. This change returns the flow to a coherent S3 -> SQS -> Lambda pattern.

What Changed

  • Restored lambda_unscanned_to_processing to consume from the unscanned S3 notifications queue.
  • Replaced the transfer notifications queue definition with sqs_unscanned_s3_notifications.
  • Removed the stale eventbridge_transfer_upload module and associated dependencies.
  • Retained the existing s3_bucket_notification configuration on the unscanned bucket to emit s3:ObjectCreated:* events to SQS.
  • Kept GuardDuty/EventBridge-based post-scan routing unchanged.

Behaviour After Change

  1. File uploaded to unscanned bucket.
  2. S3 emits ObjectCreated notification.
  3. Notification lands on sqs_unscanned_s3_notifications.
  4. lambda_unscanned_to_processing moves object into processing bucket.

Why

  • Re-establishes direct, deterministic file-move triggering from S3 object creation.
  • Removes references to transfer event locals/modules that were no longer present.
  • Aligns the Terraform state with the intended ingestion design.

Validation

  • terraform validate passes in:
    • terraform/environments/integration-hub/managed-file-transfer

Risks

  • Terraform plan will show removal of Transfer/EventBridge upload trigger resources and creation/management of the unscanned S3 notifications queue wiring where drift exists.
  • Functional path should be confirmed with an end-to-end upload test in non-production.

Signed-off-by: David Sibley david.sibley@justice.gov.uk

@dms1981
removed moved.tf, tidied up file names, removed logging config for de…
0008fcc 
…fault bus as not immediately manageable through terraform
@dms1981 dms1981 requested review from a team as code owners June 5, 2026 15:58
@github-actions github-actions Bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 5, 2026
@dms1981 dms1981 deployed to integration-hub-development-managed-file-transfer June 5, 2026 16:00 — with GitHub Actions Active
@dms1981 dms1981 changed the title Tidy up event logging in integration hub Tidy up event logging in integration hub & reinstate s3 objects to trigger moves Jun 5, 2026
@dms1981 dms1981 requested a review from Copilot June 5, 2026 16:09
Copilot AI reviewed Jun 5, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to switch the managed file transfer workflow back to using S3 object-created notifications to trigger file moves, while removing Terraform-managed logging for the EventBridge default bus (since it is not meaningfully manageable at component level).

Changes:

  • Adds an S3 bucket notification module to send s3:ObjectCreated:* events to an SQS queue.
  • Removes Terraform configuration for logging the EventBridge default bus and its CloudWatch log group.
  • Removes Transfer Family upload EventBridge rule locals and deletes moved.tf.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
terraform/environments/integration-hub/managed-file-transfer/s3.tf Introduces S3→SQS bucket notifications intended to trigger object moves.
terraform/environments/integration-hub/managed-file-transfer/moved.tf Removes Terraform moved blocks previously used for state address migrations.
terraform/environments/integration-hub/managed-file-transfer/eventbridge.tf Removes default bus logging configuration; leaves EventBridge rule modules for GuardDuty (and still contains Transfer upload wiring).
terraform/environments/integration-hub/managed-file-transfer/eventbridge-rules.tf Removes the Transfer Family upload rule local, leaving only GuardDuty malware protection rules.
terraform/environments/integration-hub/managed-file-transfer/cloudwatch.tf Removes the EventBridge log group, leaving only the Transfer log group.
Comments suppressed due to low confidence (1)

terraform/environments/integration-hub/managed-file-transfer/eventbridge-rules.tf:4

  • local.eventbridge_transfer_sftp_upload_rules has been removed from this file, but it is still referenced by module.eventbridge_transfer_upload (terraform/environments/integration-hub/managed-file-transfer/eventbridge.tf:52) and by SQS queue policy locals (terraform/environments/integration-hub/managed-file-transfer/sqs.tf:3). This will cause Terraform evaluation failures because the local no longer exists.

Comment thread terraform/environments/integration-hub/managed-file-transfer/s3.tf
Comment thread terraform/environments/integration-hub/managed-file-transfer/eventbridge.tf
harshvasudev29
harshvasudev29 previously approved these changes Jun 5, 2026
View reviewed changes
@dms1981 dms1981 requested a deployment to integration-hub-development-managed-file-transfer June 5, 2026 18:44 — with GitHub Actions Waiting
harshvasudev29
harshvasudev29 previously approved these changes Jun 8, 2026
View reviewed changes
@dms1981 dms1981 requested a review from Copilot June 8, 2026 14:58
Copilot AI reviewed Jun 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Comment thread terraform/environments/integration-hub/managed-file-transfer/sqs.tf
Comment on lines +5 to 9
name = "${local.application_name}-unscanned-s3-notifications"
use_name_prefix = false

create_queue_policy = true
queue_policy_statements = {
eventbridge = {
sid = "AllowTransferEventBridgeSendMessage"
actions = ["sqs:SendMessage"]

principals = [
{
type = "Service"
identifiers = ["events.amazonaws.com"]
}
]

condition = [
{
test = "ArnEquals"
variable = "aws:SourceArn"
values = local.sqs_transfer_notifications_source_arns
}
]
}
}
create_queue_policy = false

Comment thread terraform/environments/integration-hub/managed-file-transfer/s3.tf
@dms1981
Require full queue setup before notifications
7162cff 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 8, 2026

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/integration-hub/managed-file-transfer

*****************************

Running Checkov in terraform/environments/integration-hub/managed-file-transfer
2026-06-08 15:12:41,158 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-aws-chatbot?ref=0ec33c7bfde5649af3c23d0834ea85c849edf3ac): list index out of range
terraform scan results:

Passed checks: 104, Failed checks: 27, Skipped checks: 1

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: cloudwatch_transfer
	File: /cloudwatch.tf:1-8
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "cloudwatch_transfer" {
		2 |   source  = "terraform-aws-modules/cloudwatch/aws//modules/log-group"
		3 |   version = "5.7.2"
		4 |
		5 |   name              = "/aws/transfer/${local.application_name}-${local.component_name}"
		6 |   kms_key_id        = module.kms_cloudwatch_logs.key_arn
		7 |   retention_in_days = 30
		8 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: dynamodb_idempotency
	File: /dynamo-db.tf:1-24
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "dynamodb_idempotency" {
		2  |   source  = "terraform-aws-modules/dynamodb-table/aws"
		3  |   version = "5.5.0"
		4  |
		5  |   name         = "integration-hub-s3-idempotency"
		6  |   billing_mode = "PAY_PER_REQUEST"
		7  |   hash_key     = "id"
		8  |
		9  |   attributes = [
		10 |     {
		11 |       name = "id"
		12 |       type = "S"
		13 |     }
		14 |   ]
		15 |
		16 |   table_class        = "STANDARD"
		17 |   ttl_attribute_name = "expiration"
		18 |   ttl_enabled        = true
		19 |   timeouts = {
		20 |     "create" : "60m",
		21 |     "delete" : "60m",
		22 |     "update" : "60m"
		23 |   }
		24 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: eventbridge_guard_duty_malware_protection_for_s3
	File: /eventbridge.tf:1-49
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "eventbridge_guard_duty_malware_protection_for_s3" {
		2  |   for_each = local.eventbridge_guard_duty_malware_protection_for_s3_rules
		3  |
		4  |   source  = "terraform-aws-modules/eventbridge/aws"
		5  |   version = "4.3.0"
		6  |
		7  |   create_bus                 = false
		8  |   create_role                = false
		9  |   create_log_delivery_source = false
		10 |   create_log_delivery        = false
		11 |
		12 |   bus_name            = "default"
		13 |   append_rule_postfix = false
		14 |
		15 |   rules = {
		16 |     (each.value.name) = {
		17 |       description   = each.value.description
		18 |       event_pattern = jsonencode(each.value.event_pattern)
		19 |     }
		20 |   }
		21 |
		22 |   targets = {
		23 |     (each.value.name) = [
		24 |       {
		25 |         name = "${each.value.name}-to-sqs"
		26 |         arn  = module.sqs_guard_duty_malware_protection_for_s3_events.queue_arn
		27 |         input_transformer = {
		28 |           input_paths = {
		29 |             object_key         = "$.detail.s3ObjectDetails.objectKey"
		30 |             version_id         = "$.detail.s3ObjectDetails.versionId"
		31 |             scan_result_status = "$.detail.scanResultDetails.scanResultStatus"
		32 |           }
		33 |           input_template = <<-EOF
		34 | 					{
		35 |             "source_bucket_name": "${module.s3_bucket["processing"].s3_bucket_id}",
		36 | 					  "destination_bucket_key": "${each.value.destination_bucket_key}",
		37 | 					  "delete_source": ${jsonencode(each.value.delete_source)},
		38 | 					  "object_key": "<object_key>",
		39 | 					  "version_id": "<version_id>",
		40 | 					  "scan_result_status": "<scan_result_status>"
		41 | 					}
		42 | 					EOF
		43 |         }
		44 |       }
		45 |     ]
		46 |   }
		47 |
		48 |   tags = local.tags
		49 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: guardduty_s3_plan_policy
	File: /iam.tf:1-12
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "guardduty_s3_plan_policy" {
		2  |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		3  |   version = "6.6.0"
		4  |
		5  |   name        = local.iam_configuration.guardduty_policy_name
		6  |   description = "GuardDuty S3 malware protection plan policy"
		7  |   path        = "/"
		8  |
		9  |   policy = data.aws_iam_policy_document.guardduty_s3_plan_permission_policy.json
		10 |
		11 |   tags = local.tags
		12 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: guardduty_s3_plan_role
	File: /iam.tf:14-38
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		14 | module "guardduty_s3_plan_role" {
		15 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role"
		16 |   version = "6.6.0"
		17 |
		18 |   create          = true
		19 |   use_name_prefix = false
		20 |   name            = local.iam_configuration.guardduty_role_name
		21 |
		22 |   trust_policy_permissions = {
		23 |     AllowGuardDutyService = {
		24 |       effect  = "Allow"
		25 |       actions = ["sts:AssumeRole"]
		26 |       principals = [{
		27 |         type        = "Service"
		28 |         identifiers = ["malware-protection-plan.guardduty.amazonaws.com"]
		29 |       }]
		30 |     }
		31 |   }
		32 |
		33 |   policies = {
		34 |     guardduty_s3_plan = module.guardduty_s3_plan_policy.arn
		35 |   }
		36 |
		37 |   tags = local.tags
		38 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: iam_for_transfer
	File: /iam.tf:124-148
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		124 | module "iam_for_transfer" {
		125 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role"
		126 |   version = "6.6.0"
		127 |
		128 |   create          = true
		129 |   use_name_prefix = true
		130 |   name            = "transfer-logging"
		131 |
		132 |   trust_policy_permissions = {
		133 |     AllowTransferService = {
		134 |       effect  = "Allow"
		135 |       actions = ["sts:AssumeRole"]
		136 |       principals = [{
		137 |         type        = "Service"
		138 |         identifiers = ["transfer.amazonaws.com"]
		139 |       }]
		140 |     }
		141 |   }
		142 |
		143 |   policies = {
		144 |     transfer_logging = "arn:aws:iam::aws:policy/service-role/AWSTransferLoggingAccess"
		145 |   }
		146 |
		147 |   tags = local.tags
		148 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: kms_s3_bucket
	File: /kms.tf:1-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "kms_s3_bucket" {
		2  |   for_each = {
		3  |     for key, value in local.bucket_configuration : key => value
		4  |   }
		5  |   source  = "terraform-aws-modules/kms/aws"
		6  |   version = "4.2.0"
		7  |
		8  |   aliases                 = ["s3/${each.key}"]
		9  |   description             = "Key for cryptographic functions on ${trimsuffix(each.value.bucket_prefix, "-")} S3 bucket"
		10 |   enable_default_policy   = true
		11 |   deletion_window_in_days = 30
		12 |   multi_region            = false
		13 |   is_enabled              = true
		14 |   key_usage               = "ENCRYPT_DECRYPT"
		15 |   enable_key_rotation     = true
		16 |
		17 |   # Allow the root account as administrator
		18 |   key_administrators = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		19 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: kms_secrets
	File: /kms.tf:21-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		21 | module "kms_secrets" {
		22 |   source  = "terraform-aws-modules/kms/aws"
		23 |   version = "~> 4.1.0"
		24 |
		25 |   aliases                 = ["transfer/secrets"]
		26 |   description             = "KMS CMK for Secrets Manager encryption"
		27 |   enable_default_policy   = true
		28 |   enable_key_rotation     = true
		29 |   deletion_window_in_days = 30
		30 |   key_usage               = "ENCRYPT_DECRYPT"
		31 |   is_enabled              = true
		32 |
		33 |   # Allow the root account as administrator
		34 |   key_administrators = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		35 |
		36 |   # Explicitly allow only necessary roles to use the key
		37 |   key_users = [
		38 |     "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess"
		39 |   ]
		40 |
		41 |   # Allow Secrets Manager to use the key
		42 |   key_statements = [
		43 |     {
		44 |       sid = "AllowSecretsManagerService"
		45 |       actions = [
		46 |         "kms:Decrypt",
		47 |         "kms:DescribeKey",
		48 |         "kms:Encrypt",
		49 |         "kms:GenerateDataKey*",
		50 |         "kms:ReEncrypt*"
		51 |       ]
		52 |       resources = ["*"]
		53 |
		54 |       principals = [
		55 |         {
		56 |           type        = "Service"
		57 |           identifiers = ["secretsmanager.amazonaws.com"]
		58 |         }
		59 |       ]
		60 |     }
		61 |   ]
		62 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: kms_cloudwatch_logs
	File: /kms.tf:64-168
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lambda_unscanned_to_processing
	File: /lambda.tf:1-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: lambda_processing_to_post_scan
	File: /lambda.tf:91-189
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.proof_of_concept_notification.dynamodb_idempotency
	File: /modules/send-presigned-url/main.tf:5-30
	Calling File: /products-poc.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		5  | module "dynamodb_idempotency" {
		6  |   source  = "terraform-aws-modules/dynamodb-table/aws"
		7  |   version = "5.5.0"
		8  |
		9  |   name         = "${local.resource_name_prefix}-presigned-url-idempotency"
		10 |   billing_mode = "PAY_PER_REQUEST"
		11 |   hash_key     = "id"
		12 |
		13 |   attributes = [
		14 |     {
		15 |       name = "id"
		16 |       type = "S"
		17 |     }
		18 |   ]
		19 |
		20 |   table_class        = "STANDARD"
		21 |   ttl_attribute_name = "expiration"
		22 |   ttl_enabled        = true
		23 |   timeouts = {
		24 |     create = "60m"
		25 |     delete = "60m"
		26 |     update = "60m"
		27 |   }
		28 |
		29 |   tags = var.tags
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.proof_of_concept_notification.sns_clean_bucket_events
	File: /modules/send-presigned-url/main.tf:32-90
	Calling File: /products-poc.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.proof_of_concept_notification.sqs_clean_file_notifications
	File: /modules/send-presigned-url/main.tf:103-146
	Calling File: /products-poc.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		103 | module "sqs_clean_file_notifications" {
		104 |   source  = "terraform-aws-modules/sqs/aws"
		105 |   version = "5.2.1"
		106 |
		107 |   name            = "${local.resource_name_prefix}-clean-file-notifications"
		108 |   use_name_prefix = false
		109 |
		110 |   create_queue_policy = true
		111 |   queue_policy_statements = {
		112 |     sns = {
		113 |       sid     = "AllowCleanBucketEventsTopicSendMessage"
		114 |       actions = ["sqs:SendMessage"]
		115 |
		116 |       principals = [
		117 |         {
		118 |           type        = "Service"
		119 |           identifiers = ["sns.amazonaws.com"]
		120 |         }
		121 |       ]
		122 |
		123 |       condition = [
		124 |         {
		125 |           test     = "ArnEquals"
		126 |           variable = "aws:SourceArn"
		127 |           values   = [module.sns_clean_bucket_events.topic_arn]
		128 |         }
		129 |       ]
		130 |     }
		131 |   }
		132 |
		133 |   create_dlq = true
		134 |   dlq_name   = "${local.resource_name_prefix}-clean-file-notifications-dlq"
		135 |
		136 |   message_retention_seconds     = 1209600
		137 |   visibility_timeout_seconds    = 180
		138 |   receive_wait_time_seconds     = 20
		139 |   dlq_message_retention_seconds = 1209600
		140 |
		141 |   redrive_policy = {
		142 |     maxReceiveCount = 5
		143 |   }
		144 |
		145 |   tags = var.tags
		146 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.proof_of_concept_notification.sns_clean_file_download_notifications
	File: /modules/send-presigned-url/main.tf:148-173
	Calling File: /products-poc.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		148 | module "sns_clean_file_download_notifications" {
		149 |   source  = "terraform-aws-modules/sns/aws"
		150 |   version = "7.1.0"
		151 |
		152 |   name = "${local.resource_name_prefix}-clean-file-download-notifications"
		153 |
		154 |   topic_policy_statements = {
		155 |     chatbot_consume = {
		156 |       actions = [
		157 |         "sns:Subscribe",
		158 |         "sns:Receive",
		159 |         "sns:Publish",
		160 |       ]
		161 |       principals = [{
		162 |         type = "Service"
		163 |         identifiers = [
		164 |           "sns.amazonaws.com",
		165 |           "events.amazonaws.com",
		166 |           "chatbot.amazonaws.com",
		167 |         ]
		168 |       }]
		169 |     }
		170 |   }
		171 |
		172 |   tags = var.tags
		173 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: module.proof_of_concept_notification.lambda_clean_file_presigned_url_notifier
	File: /modules/send-presigned-url/main.tf:175-258
	Calling File: /products-poc.tf:1-27
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket
	File: /s3.tf:1-50
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_bucket_notification
	File: /s3.tf:52-66
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		52 | module "s3_bucket_notification" {
		53 |   source  = "terraform-aws-modules/s3-bucket/aws//modules/notification"
		54 |   version = "5.13.0"
		55 |
		56 |   bucket     = module.s3_bucket["unscanned"].s3_bucket_id
		57 |   bucket_arn = module.s3_bucket["unscanned"].s3_bucket_arn
		58 |
		59 |   depends_on = [module.sqs_unscanned_s3_notifications]
		60 |   sqs_notifications = {
		61 |     unscanned = {
		62 |       queue_arn = module.sqs_unscanned_s3_notifications.queue_arn
		63 |       events    = ["s3:ObjectCreated:*"]
		64 |     }
		65 |   }
		66 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: secrets_transfer_user_ssh
	File: /secrets.tf:1-30
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "secrets_transfer_user_ssh" {
		2  |   source  = "terraform-aws-modules/secrets-manager/aws"
		3  |   version = "2.1.0"
		4  |
		5  |   name                    = "${local.application_name}-transfer-user-ssh-keys"
		6  |   description             = "${local.application_name} Transfer User SSH Keys"
		7  |   recovery_window_in_days = 7
		8  |   kms_key_id              = module.kms_secrets.key_arn
		9  |   create_policy           = true
		10 |   block_public_policy     = true
		11 |   ignore_secret_changes   = true
		12 |
		13 |   policy_statements = {
		14 |     read = {
		15 |       sid = "AllowCIRolesToRead"
		16 |       principals = [{
		17 |         type = "AWS"
		18 |         identifiers = [
		19 |           "arn:aws:iam::${data.aws_caller_identity.original_session.id}:role/MemberInfrastructureAccess"
		20 |         ]
		21 |       }]
		22 |       actions   = ["secretsmanager:GetSecretValue", "secretsmanager:DescribeSecret"]
		23 |       resources = ["*"]
		24 |     }
		25 |   }
		26 |   # This value will be manually populated in AWS and will be ignored due to ignore_secret_changes = true
		27 |   secret_string = jsonencode({
		28 |     username = "123456789012"
		29 |   })
		30 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: sqs_unscanned_s3_notifications
	File: /sqs.tf:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "sqs_unscanned_s3_notifications" {
		2  |   source  = "terraform-aws-modules/sqs/aws"
		3  |   version = "5.2.1"
		4  |
		5  |   name            = "${local.application_name}-unscanned-s3-notifications"
		6  |   use_name_prefix = false
		7  |
		8  |   create_queue_policy = false
		9  |
		10 |   create_dlq = true
		11 |   dlq_name   = "${local.application_name}-unscanned-s3-notifications-dlq"
		12 |
		13 |   message_retention_seconds     = 1209600
		14 |   visibility_timeout_seconds    = 180
		15 |   receive_wait_time_seconds     = 20
		16 |   dlq_message_retention_seconds = 1209600
		17 |
		18 |   redrive_policy = {
		19 |     maxReceiveCount = 5
		20 |   }
		21 |
		22 |   tags = local.tags
		23 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: sqs_guard_duty_malware_protection_for_s3_events
	File: /sqs.tf:25-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		25 | module "sqs_guard_duty_malware_protection_for_s3_events" {
		26 |   source  = "terraform-aws-modules/sqs/aws"
		27 |   version = "5.2.1"
		28 |
		29 |   name            = "${local.application_name}-guard-duty-malware-protection-for-s3-events"
		30 |   use_name_prefix = false
		31 |
		32 |   create_queue_policy = true
		33 |   queue_policy_statements = {
		34 |     eventbridge = {
		35 |       sid     = "AllowEventBridgeSendMessage"
		36 |       actions = ["sqs:SendMessage"]
		37 |
		38 |       principals = [
		39 |         {
		40 |           type        = "Service"
		41 |           identifiers = ["events.amazonaws.com"]
		42 |         }
		43 |       ]
		44 |
		45 |       condition = [
		46 |         {
		47 |           test     = "ArnEquals"
		48 |           variable = "aws:SourceArn"
		49 |           values = [
		50 |             for rule_key, rule in local.eventbridge_guard_duty_malware_protection_for_s3_rules : module.eventbridge_guard_duty_malware_protection_for_s3[rule_key].eventbridge_rule_arns[rule.name]
		51 |           ]
		52 |         }
		53 |       ]
		54 |     }
		55 |   }
		56 |
		57 |   create_dlq = true
		58 |   dlq_name   = "${local.application_name}-guard-duty-malware-protection-for-s3-events-dlq"
		59 |
		60 |   message_retention_seconds     = 1209600
		61 |   visibility_timeout_seconds    = 180
		62 |   receive_wait_time_seconds     = 20
		63 |   dlq_message_retention_seconds = 1209600
		64 |
		65 |   redrive_policy = {
		66 |     maxReceiveCount = 5
		67 |   }
		68 |
		69 |   tags = local.tags
		70 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: transfer_user_policy
	File: /transfer-user.tf:80-91
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		80 | module "transfer_user_policy" {
		81 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		82 |   version = "6.6.0"
		83 |
		84 |   name        = "${local.application_name}-transfer-user-policy"
		85 |   description = "AWS Transfer User policy"
		86 |   path        = "/"
		87 |
		88 |   policy = data.aws_iam_policy_document.transfer_user.json
		89 |
		90 |   tags = local.tags
		91 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: transfer_user_role
	File: /transfer-user.tf:93-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		93  | module "transfer_user_role" {
		94  |   source  = "terraform-aws-modules/iam/aws//modules/iam-role"
		95  |   version = "6.6.0"
		96  |
		97  |   name            = "${local.application_name}-transfer-user"
		98  |   description     = "AWS Transfer User role"
		99  |   use_name_prefix = true
		100 |
		101 |   trust_policy_permissions = {
		102 |     AllowTransferService = {
		103 |       effect  = "Allow"
		104 |       actions = ["sts:AssumeRole"]
		105 |       principals = [{
		106 |         type        = "Service"
		107 |         identifiers = ["transfer.amazonaws.com"]
		108 |       }]
		109 |     }
		110 |   }
		111 |
		112 |   policies = {
		113 |     transfer_user_policy = module.transfer_user_policy.arn
		114 |   }
		115 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: transfer_web_app_policy
	File: /transfer-web-app.tf:39-48
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		39 | module "transfer_web_app_policy" {
		40 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		41 |   version = "6.6.0"
		42 |
		43 |   name        = "${local.application_name}-transfer-web-app-policy"
		44 |   description = "AWS Transfer web app access grants policy"
		45 |   path        = "/"
		46 |
		47 |   policy = data.aws_iam_policy_document.transfer_web_app.json
		48 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: transfer_web_app_role
	File: /transfer-web-app.tf:50-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		50 | module "transfer_web_app_role" {
		51 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role"
		52 |   version = "6.6.0"
		53 |
		54 |   create          = true
		55 |   use_name_prefix = false
		56 |   name            = "transfer-web-app"
		57 |   description     = "AWS Transfer web app role"
		58 |
		59 |   trust_policy_permissions = {
		60 |     AllowTransferWebApp = {
		61 |       effect  = "Allow"
		62 |       actions = ["sts:AssumeRole", "sts:SetContext"]
		63 |       principals = [{
		64 |         type        = "Service"
		65 |         identifiers = ["transfer.amazonaws.com"]
		66 |       }]
		67 |       condition = [{
		68 |         test     = "StringEquals"
		69 |         values   = [data.aws_caller_identity.current.account_id]
		70 |         variable = "aws:SourceAccount"
		71 |       }]
		72 |     }
		73 |   }
		74 |
		75 |   policies = {
		76 |     transfer_web_app = module.transfer_web_app_policy.arn
		77 |   }
		78 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_access_grants_location_policy
	File: /transfer-web-app.tf:199-208
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		199 | module "s3_access_grants_location_policy" {
		200 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		201 |   version = "6.6.0"
		202 |
		203 |   name        = "${local.application_name}-s3-access-grants-location-policy"
		204 |   description = "AWS S3 Access Grants read/write access to the unscanned bucket"
		205 |   path        = "/"
		206 |
		207 |   policy = data.aws_iam_policy_document.s3_access_grants_location.json
		208 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3_access_grants_location_role
	File: /transfer-web-app.tf:210-250
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		210 | module "s3_access_grants_location_role" {
		211 |   source  = "terraform-aws-modules/iam/aws//modules/iam-role"
		212 |   version = "6.6.0"
		213 |
		214 |   name            = "transfer-s3-access-grants-location"
		215 |   use_name_prefix = false
		216 |   description     = "Role to allow AWS S3 Access Grants to read and write to the unscanned bucket"
		217 |
		218 |   trust_policy_permissions = {
		219 |     AllowAccessGrants = {
		220 |       effect = "Allow"
		221 |       actions = [
		222 |         "sts:AssumeRole",
		223 |         "sts:SetContext",
		224 |         "sts:SetSourceIdentity",
		225 |       ]
		226 |
		227 |       principals = [{
		228 |         type        = "Service"
		229 |         identifiers = ["access-grants.s3.amazonaws.com"]
		230 |       }]
		231 |
		232 |       condition = [
		233 |         {
		234 |           test     = "StringEquals"
		235 |           values   = [data.aws_caller_identity.current.account_id]
		236 |           variable = "aws:SourceAccount"
		237 |         },
		238 |         {
		239 |           test     = "ArnEquals"
		240 |           values   = [aws_s3control_access_grants_instance.this.access_grants_instance_arn]
		241 |           variable = "aws:SourceArn"
		242 |         }
		243 |       ]
		244 |     }
		245 |   }
		246 |
		247 |   policies = {
		248 |     unscanned_access = module.s3_access_grants_location_policy.arn
		249 |   }
		250 | }


checkov_exitcode=1

TFLint Scan Success

Show Output 
*****************************

Using default config
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint checking:
terraform/environments/integration-hub/managed-file-transfer

*****************************

Running tflint in terraform/environments/integration-hub/managed-file-transfer
1 issue(s) found:

Warning: [Fixable] Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/integration-hub/managed-file-transfer/iam.tf line 90:
  90:       "${module.s3_bucket["processing"].s3_bucket_arn}"

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@harshvasudev29 harshvasudev29 harshvasudev29 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

environments-repository Used to exclude PRs from this repo in our Slack PR update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dms1981 @harshvasudev29