Skip to content

Add starter pack and ecr#17065

Open
JakeBroughton wants to merge 2 commits into
mainfrom
add-starter-pack-and-ecr
Open

Add starter pack and ecr#17065
JakeBroughton wants to merge 2 commits into
mainfrom
add-starter-pack-and-ecr

Conversation

@JakeBroughton
Copy link
Copy Markdown
Contributor

@JakeBroughton JakeBroughton commented Jun 8, 2026
edited
Loading

Add temporary development-only ECR repo for starter pack and starter pack terraform module.

@github-actions github-actions Bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jun 8, 2026
@JakeBroughton JakeBroughton marked this pull request as ready for review June 8, 2026 11:28
@JakeBroughton JakeBroughton requested review from a team as code owners June 8, 2026 11:28
@JakeBroughton JakeBroughton deployed to cloud-platform-development June 8, 2026 11:29 — with GitHub Actions Active
@JakeBroughton JakeBroughton force-pushed the add-starter-pack-and-ecr branch from 6ace235 to 1ff4234 Compare June 8, 2026 11:58
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 8, 2026

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/cloud-platform/cluster-core
terraform/environments/cloud-platform

*****************************

Running Checkov in terraform/environments/cloud-platform/cluster-core
2026-06-08 11:59:33,276 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-external-dns?ref=0.1.0): list index out of range
2026-06-08 11:59:33,277 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-karpenter?ref=5028eb32e7fa4386a879a47307620eecfb41fe63): list index out of range
2026-06-08 11:59:33,277 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-starter-pack?ref=1.1.1): list index out of range
2026-06-08 11:59:33,277 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-cilium?ref=cp3_build): list index out of range
2026-06-08 11:59:33,277 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-gatekeeper?ref=1.0.0): list index out of range
terraform scan results:

Passed checks: 12, Failed checks: 5, Skipped checks: 0

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: cilium
	File: /cilium.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "cilium" {
		2 |   source = "github.com/ministryofjustice/container-platform-terraform-cilium?ref=cp3_build" # use the latest release
		3 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: cilium
	File: /cilium.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		1 | module "cilium" {
		2 |   source = "github.com/ministryofjustice/container-platform-terraform-cilium?ref=cp3_build" # use the latest release
		3 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: external_dns
	File: /external-dns.tf:13-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		13 | module "external_dns" {
		14 |   source = "github.com/ministryofjustice/container-platform-terraform-external-dns?ref=0.1.0"
		15 |
		16 |   eks_cluster_name = local.cluster_name
		17 |
		18 |   required_inputs = {
		19 |     cloud-platform-development = {
		20 |       version                 = local.chart_version
		21 |       domain_name_prefix      = "development"
		22 |       sync_interval           = local.sync_interval.development
		23 |       aws_zone_cache_duration = local.aws_zone_cache_duration.development
		24 |       log_level               = "info"
		25 |     }
		26 |     cloud-platform-preproduction = {
		27 |       version                 = local.chart_version
		28 |       domain_name_prefix      = "preproduction"
		29 |       sync_interval           = local.sync_interval.development
		30 |       aws_zone_cache_duration = local.aws_zone_cache_duration.development
		31 |       log_level               = "info"
		32 |     }
		33 |     cloud-platform-nonlive = {
		34 |       version                 = local.chart_version
		35 |       domain_name_prefix      = "nonlive"
		36 |       sync_interval           = local.sync_interval.production
		37 |       aws_zone_cache_duration = local.aws_zone_cache_duration.production
		38 |       log_level               = "info"
		39 |     }
		40 |     cloud-platform-live = {
		41 |       version                 = local.chart_version
		42 |       domain_name_prefix      = "live"
		43 |       sync_interval           = local.sync_interval.production
		44 |       aws_zone_cache_duration = local.aws_zone_cache_duration.production
		45 |       log_level               = "info"
		46 |     }
		47 |
		48 |   }
		49 |   tags = {
		50 |     application   = "External DNS"
		51 |     business-unit = "OCTO"
		52 |     owner         = "Container Platform: External DNS"
		53 |     service-area  = "Hosting"
		54 |     source-code   = "https://github.com/ministryofjustice/container-platform-terraform-external-dns"
		55 |     slack-channel = "cloud-platform"
		56 |     is-production = "true"
		57 |   }
		58 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: gatekeeper
	File: /gatekeeper.tf:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "gatekeeper" {
		2  |   source = "github.com/ministryofjustice/container-platform-terraform-gatekeeper?ref=1.0.0"
		3  |
		4  |   # boolean expression for applying opa valid hostname for test clusters only.
		5  |   dryrun_map = {
		6  |     service_type                       = false,
		7  |     warn_service_account_secret_delete = false,
		8  |     user_ns_requires_psa_label         = false,
		9  |     lock_priv_capabilities             = false,
		10 |     warn_kubectl_create_sa             = false,
		11 |   }
		12 |
		13 |   constraint_violations_max_to_display = 25
		14 |   is_production                        = contains(local.mp_environments, terraform.workspace) ? "true" : "false"
		15 |   environment_name                     = terraform.workspace
		16 |   out_of_hours_alert                   = "false"
		17 |   controller_mem_limit                 = "1Gi"
		18 |   controller_mem_req                   = "512Mi"
		19 |   audit_mem_limit                      = "1Gi"
		20 |   audit_mem_req                        = "512Mi"
		21 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: starter_pack
	File: /starter_pack.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "starter_pack" {
		2 |   count             = var.enable_starter_pack && local.cluster_environment == "development_cluster" ? 1 : 0
		3 |   source            = "github.com/ministryofjustice/container-platform-terraform-starter-pack?ref=1.1.1"
		4 |   gateway_name      = "eg"
		5 |   gateway_namespace = "default"
		6 |   enable_httproute  = false # HTTPRoute can't be created until gateway API CRDs are installed
		7 |   image_repository  = format("%s.dkr.ecr.%s.amazonaws.com/cloud-platform/container-platform-terraform-starter-pack", data.aws_caller_identity.current.account_id, data.aws_region.current.region)
		8 |   image_tag         = "1.1.1"
		9 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/cloud-platform
2026-06-08 11:59:36,803 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=b40748ec162b446f8f8d282f767a85b6501fd192): list index out of range
2026-06-08 11:59:36,803 [MainThread  ] [WARNI]  Unable to load module (terraform-aws-modules/eks-pod-identity/aws): list index out of range
2026-06-08 11:59:36,804 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-external-dns?ref=0.1.0): list index out of range
2026-06-08 11:59:36,804 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-karpenter?ref=5028eb32e7fa4386a879a47307620eecfb41fe63): list index out of range
2026-06-08 11:59:36,804 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-starter-pack?ref=1.1.1): list index out of range
2026-06-08 11:59:36,804 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-cilium?ref=cp3_build): list index out of range
2026-06-08 11:59:36,804 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/container-platform-terraform-gatekeeper?ref=1.0.0): list index out of range
terraform scan results:

Passed checks: 135, Failed checks: 55, Skipped checks: 0

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.pagerduty_integration_key
	File: /account-alert-secrets.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "pagerduty_integration_key" {
		2 |   name        = "pagerduty/high-priority-alarms/integration-key"
		3 |   description = "PagerDuty integration key for high priority security alarms"
		4 |   tags        = local.tags
		5 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.high_priority_alerts
	File: /account-alerts.tf:16-19
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		16 | resource "aws_sns_topic" "high_priority_alerts" {
		17 |   name = "high-priority-alerts"
		18 |   tags = local.tags
		19 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: cilium
	File: /cluster-core/cilium.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "cilium" {
		2 |   source = "github.com/ministryofjustice/container-platform-terraform-cilium?ref=cp3_build" # use the latest release
		3 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: cilium
	File: /cluster-core/cilium.tf:1-3
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		1 | module "cilium" {
		2 |   source = "github.com/ministryofjustice/container-platform-terraform-cilium?ref=cp3_build" # use the latest release
		3 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: external_dns
	File: /cluster-core/external-dns.tf:13-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		13 | module "external_dns" {
		14 |   source = "github.com/ministryofjustice/container-platform-terraform-external-dns?ref=0.1.0"
		15 |
		16 |   eks_cluster_name = local.cluster_name
		17 |
		18 |   required_inputs = {
		19 |     cloud-platform-development = {
		20 |       version                 = local.chart_version
		21 |       domain_name_prefix      = "development"
		22 |       sync_interval           = local.sync_interval.development
		23 |       aws_zone_cache_duration = local.aws_zone_cache_duration.development
		24 |       log_level               = "info"
		25 |     }
		26 |     cloud-platform-preproduction = {
		27 |       version                 = local.chart_version
		28 |       domain_name_prefix      = "preproduction"
		29 |       sync_interval           = local.sync_interval.development
		30 |       aws_zone_cache_duration = local.aws_zone_cache_duration.development
		31 |       log_level               = "info"
		32 |     }
		33 |     cloud-platform-nonlive = {
		34 |       version                 = local.chart_version
		35 |       domain_name_prefix      = "nonlive"
		36 |       sync_interval           = local.sync_interval.production
		37 |       aws_zone_cache_duration = local.aws_zone_cache_duration.production
		38 |       log_level               = "info"
		39 |     }
		40 |     cloud-platform-live = {
		41 |       version                 = local.chart_version
		42 |       domain_name_prefix      = "live"
		43 |       sync_interval           = local.sync_interval.production
		44 |       aws_zone_cache_duration = local.aws_zone_cache_duration.production
		45 |       log_level               = "info"
		46 |     }
		47 |
		48 |   }
		49 |   tags = {
		50 |     application   = "External DNS"
		51 |     business-unit = "OCTO"
		52 |     owner         = "Container Platform: External DNS"
		53 |     service-area  = "Hosting"
		54 |     source-code   = "https://github.com/ministryofjustice/container-platform-terraform-external-dns"
		55 |     slack-channel = "cloud-platform"
		56 |     is-production = "true"
		57 |   }
		58 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: gatekeeper
	File: /cluster-core/gatekeeper.tf:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "gatekeeper" {
		2  |   source = "github.com/ministryofjustice/container-platform-terraform-gatekeeper?ref=1.0.0"
		3  |
		4  |   # boolean expression for applying opa valid hostname for test clusters only.
		5  |   dryrun_map = {
		6  |     service_type                       = false,
		7  |     warn_service_account_secret_delete = false,
		8  |     user_ns_requires_psa_label         = false,
		9  |     lock_priv_capabilities             = false,
		10 |     warn_kubectl_create_sa             = false,
		11 |   }
		12 |
		13 |   constraint_violations_max_to_display = 25
		14 |   is_production                        = contains(local.mp_environments, terraform.workspace) ? "true" : "false"
		15 |   environment_name                     = terraform.workspace
		16 |   out_of_hours_alert                   = "false"
		17 |   controller_mem_limit                 = "1Gi"
		18 |   controller_mem_req                   = "512Mi"
		19 |   audit_mem_limit                      = "1Gi"
		20 |   audit_mem_req                        = "512Mi"
		21 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: starter_pack
	File: /cluster-core/starter_pack.tf:1-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1 | module "starter_pack" {
		2 |   count             = var.enable_starter_pack && local.cluster_environment == "development_cluster" ? 1 : 0
		3 |   source            = "github.com/ministryofjustice/container-platform-terraform-starter-pack?ref=1.1.1"
		4 |   gateway_name      = "eg"
		5 |   gateway_namespace = "default"
		6 |   enable_httproute  = false # HTTPRoute can't be created until gateway API CRDs are installed
		7 |   image_repository  = format("%s.dkr.ecr.%s.amazonaws.com/cloud-platform/container-platform-terraform-starter-pack", data.aws_caller_identity.current.account_id, data.aws_region.current.region)
		8 |   image_tag         = "1.1.1"
		9 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: eks
	File: /cluster/eks-cluster.tf:1-170
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: aws_vpc_cni_pod_identity
	File: /cluster/eks-pod-identities.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "aws_vpc_cni_pod_identity" {
		2  |
		3  |   source  = "terraform-aws-modules/eks-pod-identity/aws"
		4  |   version = "2.5.0"
		5  |
		6  |   name = "aws-vpc-cni"
		7  |
		8  |   attach_aws_vpc_cni_policy = true
		9  |   aws_vpc_cni_enable_ipv4   = true
		10 |
		11 |   associations = {
		12 |     this = {
		13 |       cluster_name    = module.eks.cluster_name
		14 |       namespace       = "kube-system"
		15 |       service_account = "aws-node"
		16 |     }
		17 |   }
		18 |
		19 |   tags = local.tags
		20 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: aws_ebs_csi_pod_identity
	File: /cluster/eks-pod-identities.tf:22-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		22 | module "aws_ebs_csi_pod_identity" {
		23 |
		24 |   source = "terraform-aws-modules/eks-pod-identity/aws"
		25 |
		26 |   name = "aws-ebs-csi"
		27 |
		28 |   attach_aws_ebs_csi_policy = true
		29 |   # aws_ebs_csi_kms_arns      = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
		30 |
		31 |   associations = {
		32 |     this = {
		33 |       cluster_name    = module.eks.cluster_name
		34 |       namespace       = "kube-system"
		35 |       service_account = "ebs-csi-controller-sa"
		36 |     }
		37 |   }
		38 |
		39 |   tags = local.tags
		40 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: aws_ebs_csi_pod_identity
	File: /cluster/eks-pod-identities.tf:22-40
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-tag

		22 | module "aws_ebs_csi_pod_identity" {
		23 |
		24 |   source = "terraform-aws-modules/eks-pod-identity/aws"
		25 |
		26 |   name = "aws-ebs-csi"
		27 |
		28 |   attach_aws_ebs_csi_policy = true
		29 |   # aws_ebs_csi_kms_arns      = ["arn:aws:kms:*:*:key/1234abcd-12ab-34cd-56ef-1234567890ab"]
		30 |
		31 |   associations = {
		32 |     this = {
		33 |       cluster_name    = module.eks.cluster_name
		34 |       namespace       = "kube-system"
		35 |       service_account = "ebs-csi-controller-sa"
		36 |     }
		37 |   }
		38 |
		39 |   tags = local.tags
		40 | }

Check: CKV_AWS_136: "Ensure that ECR repositories are encrypted using KMS"
	FAILED for resource: aws_ecr_repository.starter_pack
	File: /ecr.tf:14-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-ecr-repositories-are-encrypted

		14 | resource "aws_ecr_repository" "starter_pack" {
		15 |   count = local.environment == "development" ? 1 : 0
		16 |
		17 |   name = "cloud-platform/container-platform-terraform-starter-pack"
		18 |
		19 |   image_scanning_configuration {
		20 |     scan_on_push = true
		21 |   }
		22 |
		23 |   force_delete = false
		24 |   tags         = local.starter_pack_default_tags
		25 |
		26 |   lifecycle {
		27 |     ignore_changes = [name]
		28 |   }
		29 | }

Check: CKV_AWS_51: "Ensure ECR Image Tags are immutable"
	FAILED for resource: aws_ecr_repository.starter_pack
	File: /ecr.tf:14-29
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-general-24

		14 | resource "aws_ecr_repository" "starter_pack" {
		15 |   count = local.environment == "development" ? 1 : 0
		16 |
		17 |   name = "cloud-platform/container-platform-terraform-starter-pack"
		18 |
		19 |   image_scanning_configuration {
		20 |     scan_on_push = true
		21 |   }
		22 |
		23 |   force_delete = false
		24 |   tags         = local.starter_pack_default_tags
		25 |
		26 |   lifecycle {
		27 |     ignore_changes = [name]
		28 |   }
		29 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_endpoints_security_group
	File: /network/vpc-endpoints.tf:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "vpc_endpoints_security_group" {
		2  |
		3  |   source  = "terraform-aws-modules/security-group/aws"
		4  |   version = "5.3.1"
		5  |
		6  |   name        = "${module.vpc.name}-vpc-endpoints"
		7  |   description = "VPC endpoints security group"
		8  |
		9  |   vpc_id = module.vpc.vpc_id
		10 |
		11 |   ingress_cidr_blocks = [module.vpc.vpc_cidr_block]
		12 |   ingress_rules       = ["https-443-tcp"]
		13 |
		14 |   # Additional ports for SES SMTP VPC endpoint
		15 |   ingress_with_cidr_blocks = [
		16 |     {
		17 |       from_port   = 465
		18 |       to_port     = 465
		19 |       protocol    = "tcp"
		20 |       description = "SES SMTP - SMTPS"
		21 |       cidr_blocks = module.vpc.vpc_cidr_block
		22 |     },
		23 |     {
		24 |       from_port   = 587
		25 |       to_port     = 587
		26 |       protocol    = "tcp"
		27 |       description = "SES SMTP - SMTP submission"
		28 |       cidr_blocks = module.vpc.vpc_cidr_block
		29 |     },
		30 |     {
		31 |       from_port   = 2465
		32 |       to_port     = 2465
		33 |       protocol    = "tcp"
		34 |       description = "SES SMTP - SMTPS alternate"
		35 |       cidr_blocks = module.vpc.vpc_cidr_block
		36 |     },
		37 |     {
		38 |       from_port   = 2587
		39 |       to_port     = 2587
		40 |       protocol    = "tcp"
		41 |       description = "SES SMTP - SMTP submission alternate"
		42 |       cidr_blocks = module.vpc.vpc_cidr_block
		43 |     }
		44 |   ]
		45 |
		46 |   tags = local.tags
		47 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["elasticache"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc-gateway-endpoints["s3"]
	File: /network/vpc-endpoints.tf:71-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		71 | module "vpc-gateway-endpoints" {
		72 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		73 |   version  = "6.5.1"
		74 |   for_each = toset(local.vpc_gateway_endpoint_service_names)
		75 |
		76 |   vpc_id = module.vpc.vpc_id
		77 |
		78 |   endpoints = {
		79 |     (each.value) = {
		80 |       service         = each.value
		81 |       service_type    = "Gateway"
		82 |       route_table_ids = module.vpc.private_route_table_ids
		83 |       tags = merge(
		84 |         local.tags,
		85 |         { Name = "${module.vpc.name}-${each.value}" }
		86 |       )
		87 |     }
		88 |   }
		89 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["securityhub"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["sns"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["eks-auth"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["athena"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["cloudtrail"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["email-smtp"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["lambda"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["ec2"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["rds-data"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["backup"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["dms"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["events"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["wafv2"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["inspector2"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["kms"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["secretsmanager"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["ecr.dkr"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["kinesis-firehose"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["email"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["detective"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["eks"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["guardduty-data"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["apigateway"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["ssm"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["transcribe"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["config"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["sqs"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["sts"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["logs"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["rds"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc_vpc-endpoints["ecr.api"]
	File: /network/vpc-endpoints.tf:49-69
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		49 | module "vpc_vpc-endpoints" {
		50 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		51 |   version  = "6.5.1"
		52 |   for_each = toset(local.vpc_interface_endpoint_service_names)
		53 |
		54 |   vpc_id             = module.vpc.vpc_id
		55 |   security_group_ids = [module.vpc_endpoints_security_group.security_group_id]
		56 |
		57 |   endpoints = {
		58 |     (each.value) = {
		59 |       service             = each.value
		60 |       service_type        = "Interface"
		61 |       subnet_ids          = aws_subnet.eks_private[*].id
		62 |       private_dns_enabled = true
		63 |       tags = merge(
		64 |         local.tags,
		65 |         { Name = format("%s-%s", module.vpc.name, each.value) }
		66 |       )
		67 |     }
		68 |   }
		69 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc-gateway-endpoints["dynamodb"]
	File: /network/vpc-endpoints.tf:71-89
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		71 | module "vpc-gateway-endpoints" {
		72 |   source   = "terraform-aws-modules/vpc/aws//modules/vpc-endpoints"
		73 |   version  = "6.5.1"
		74 |   for_each = toset(local.vpc_gateway_endpoint_service_names)
		75 |
		76 |   vpc_id = module.vpc.vpc_id
		77 |
		78 |   endpoints = {
		79 |     (each.value) = {
		80 |       service         = each.value
		81 |       service_type    = "Gateway"
		82 |       route_table_ids = module.vpc.private_route_table_ids
		83 |       tags = merge(
		84 |         local.tags,
		85 |         { Name = "${module.vpc.name}-${each.value}" }
		86 |       )
		87 |     }
		88 |   }
		89 | }
Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: vpc
	File: /network/vpc.tf:1-41
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		1  | module "vpc" {
		2  |   version = "6.5.1"
		3  |   source  = "terraform-aws-modules/vpc/aws"
		4  |
		5  |   name = local.cp_vpc_name
		6  |   cidr = lookup(local.cp_vpc_cidr, local.cluster_environment)
		7  |   azs  = slice(data.aws_availability_zones.available.names, 0, 3)
		8  |   private_subnets = [
		9  |     cidrsubnet(lookup(local.cp_vpc_cidr, local.cluster_environment), 3, 1),
		10 |     cidrsubnet(lookup(local.cp_vpc_cidr, local.cluster_environment), 3, 2),
		11 |     cidrsubnet(lookup(local.cp_vpc_cidr, local.cluster_environment), 3, 3)
		12 |   ]
		13 |
		14 |   public_subnets = [
		15 |     cidrsubnet(lookup(local.cp_vpc_cidr, local.cluster_environment), 6, 0),
		16 |     cidrsubnet(lookup(local.cp_vpc_cidr, local.cluster_environment), 6, 1),
		17 |     cidrsubnet(lookup(local.cp_vpc_cidr, local.cluster_environment), 6, 2)
		18 |   ]
		19 |
		20 |   manage_default_network_acl    = false
		21 |   manage_default_route_table    = false
		22 |   manage_default_security_group = false
		23 |
		24 |   public_dedicated_network_acl = true //Creates a dedicated network ACL and attaches to the public subnets
		25 |
		26 |   enable_nat_gateway                  = true
		27 |   one_nat_gateway_per_az              = true
		28 |   create_multiple_public_route_tables = true
		29 |
		30 |   public_subnet_tags = {
		31 |     SubnetType = "Public"
		32 |   }
		33 |
		34 |   private_subnet_tags = {
		35 |     SubnetType = "Private"
		36 |   }
		37 |
		38 |   tags = merge({
		39 |     Terraform = "true"
		40 |   }, local.tags)
		41 | }

Check: CKV_AWS_107: "Ensure IAM policies does not allow credentials exposure"
	FAILED for resource: aws_iam_policy_document.github_actions_development_cluster_oidc_policy
	File: /oidc.tf:15-226
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-credentials-exposure

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.github_actions_development_cluster_oidc_policy
	File: /oidc.tf:15-226
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.github_actions_development_cluster_oidc_policy
	File: /oidc.tf:15-226
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.github_actions_development_cluster_oidc_policy
	File: /oidc.tf:15-226
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_policy_document.github_actions_development_cluster_oidc_policy
	File: /oidc.tf:15-226
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.pagerduty_integration_key
	File: /account-alert-secrets.tf:1-5
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "pagerduty_integration_key" {
		2 |   name        = "pagerduty/high-priority-alarms/integration-key"
		3 |   description = "PagerDuty integration key for high priority security alarms"
		4 |   tags        = local.tags
		5 | }

kubernetes scan results:

Passed checks: 70, Failed checks: 19, Skipped checks: 0

Check: CKV_K8S_22: "Use read-only filesystem for containers where possible"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-21

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_37: "Minimize the admission of containers with capabilities assigned"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-34

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_40: "Containers should run as a high UID to avoid host conflict"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-37

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_12: "Memory requests should be set"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-11

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_11: "CPU limits should be set"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-10

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_13: "Memory limits should be set"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-12

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_15: "Image Pull Policy should be Always"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-14

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_21: "The default namespace should not be used"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-20

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_8: "Liveness Probe Should be Configured"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-7

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_9: "Readiness Probe Should be Configured"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-8

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_38: "Ensure that Service Account Tokens are only mounted where necessary"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-35

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_31: "Ensure that the seccomp profile is set to docker/default or runtime/default"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-29

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_43: "Image should use digest"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-39

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_23: "Minimize the admission of root containers"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-22

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_20: "Containers should not run with allowPrivilegeEscalation"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-19

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_29: "Apply security context to your pods and containers"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/ensure-securitycontext-is-applied-to-pods-and-containers

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_30: "Apply security context to your containers"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-28

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV_K8S_28: "Minimize the admission of containers with the NET_RAW capability"
	FAILED for resource: Deployment.default.inflate
	File: /cluster/inflate.yaml:1-21
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/kubernetes-policies/kubernetes-policy-index/bc-k8s-27

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1
Check: CKV2_K8S_6: "Minimize the admission of pods which lack an associated NetworkPolicy"
	FAILED for resource: Pod.default.inflate.app-inflate
	File: /cluster/inflate.yaml:1-21

		1  | apiVersion: apps/v1
		2  | kind: Deployment
		3  | metadata:
		4  |   name: inflate
		5  | spec:
		6  |   replicas: 5
		7  |   selector:
		8  |     matchLabels:
		9  |       app: inflate
		10 |   template:
		11 |     metadata:
		12 |       labels:
		13 |         app: inflate
		14 |     spec:
		15 |       terminationGracePeriodSeconds: 0
		16 |       containers:
		17 |         - name: inflate
		18 |           image: public.ecr.aws/eks-distro/kubernetes/pause:3.7
		19 |           resources:
		20 |             requests:
		21 |               cpu: 1

checkov_exitcode=2

TFLint Scan Success

Show Output 
*****************************

Using default config
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint checking:
terraform/environments/cloud-platform/cluster-core
terraform/environments/cloud-platform

*****************************

Running tflint in terraform/environments/cloud-platform/cluster-core
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/cloud-platform
tflint_exitcode=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sj-williams Steve Williams (sj-williams) sj-williams approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

environments-repository Used to exclude PRs from this repo in our Slack PR update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JakeBroughton @sj-williams