implementing postgres

[sivabathina2]

Implementing postgres after the weekend nuke, to test full load and cdc

[github-actions]

---

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/data-factory-laa

*****************************

Running Checkov in terraform/environments/data-factory-laa
2026-06-08 17:00:49,937 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=ce9c0c07489e393ce80441aed0fd5bf7798956a3): list index out of range
2026-06-08 17:00:49,937 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/terraform-dms-module?ref=bc5a588): list index out of range
2026-06-08 17:00:49,937 [MainThread  ] [WARNI]  Unable to load module (github.com/ministryofjustice/terraform-dms-module?ref=5a6b4dd49d1b2c92813f8bdb0b42e117ce247ba2): list index out of range
terraform scan results:

Passed checks: 175, Failed checks: 21, Skipped checks: 5

Check: CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"
	FAILED for resource: aws_kms_key.data_lake_kms_key
	File: /data-lake.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/logging-8

		34 | resource "aws_kms_key" "data_lake_kms_key" {
		35 |   description             = "KMS key for encrypting data in the data lake"
		36 |   deletion_window_in_days = 10
		37 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.dms_slack_webhook
	File: /dms.tf:149-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		149 | resource "aws_secretsmanager_secret" "dms_slack_webhook" {
		150 |   count = local.is-development ? 1 : 0
		151 |   name  = "${local.application_name}-${local.environment}/dms/slack-webhook"
		152 |   tags  = local.tags
		153 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.oracle_dms_kms
	File: /dms.tf:32-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		32 | data "aws_iam_policy_document" "oracle_dms_kms" {
		33 |   count = local.is-development ? 1 : 0
		34 |
		35 |   statement {
		36 |     sid    = "AllowAccountRootFullAccess"
		37 |     effect = "Allow"
		38 |
		39 |     principals {
		40 |       type        = "AWS"
		41 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		42 |     }
		43 |
		44 |     actions   = ["kms:*"]
		45 |     resources = ["*"]
		46 |   }
		47 |
		48 |   statement {
		49 |     sid    = "AllowS3ToUseKeyForQueueNotifications"
		50 |     effect = "Allow"
		51 |
		52 |     principals {
		53 |       type        = "Service"
		54 |       identifiers = ["s3.amazonaws.com"]
		55 |     }
		56 |
		57 |     actions = [
		58 |       "kms:GenerateDataKey",
		59 |       "kms:Decrypt",
		60 |     ]
		61 |
		62 |     resources = ["*"]
		63 |
		64 |     condition {
		65 |       test     = "StringEquals"
		66 |       variable = "aws:SourceAccount"
		67 |       values   = [data.aws_caller_identity.current.account_id]
		68 |     }
		69 |   }
		70 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.oracle_dms_kms
	File: /dms.tf:32-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		32 | data "aws_iam_policy_document" "oracle_dms_kms" {
		33 |   count = local.is-development ? 1 : 0
		34 |
		35 |   statement {
		36 |     sid    = "AllowAccountRootFullAccess"
		37 |     effect = "Allow"
		38 |
		39 |     principals {
		40 |       type        = "AWS"
		41 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		42 |     }
		43 |
		44 |     actions   = ["kms:*"]
		45 |     resources = ["*"]
		46 |   }
		47 |
		48 |   statement {
		49 |     sid    = "AllowS3ToUseKeyForQueueNotifications"
		50 |     effect = "Allow"
		51 |
		52 |     principals {
		53 |       type        = "Service"
		54 |       identifiers = ["s3.amazonaws.com"]
		55 |     }
		56 |
		57 |     actions = [
		58 |       "kms:GenerateDataKey",
		59 |       "kms:Decrypt",
		60 |     ]
		61 |
		62 |     resources = ["*"]
		63 |
		64 |     condition {
		65 |       test     = "StringEquals"
		66 |       variable = "aws:SourceAccount"
		67 |       values   = [data.aws_caller_identity.current.account_id]
		68 |     }
		69 |   }
		70 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.oracle_dms_kms
	File: /dms.tf:32-70
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		32 | data "aws_iam_policy_document" "oracle_dms_kms" {
		33 |   count = local.is-development ? 1 : 0
		34 |
		35 |   statement {
		36 |     sid    = "AllowAccountRootFullAccess"
		37 |     effect = "Allow"
		38 |
		39 |     principals {
		40 |       type        = "AWS"
		41 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		42 |     }
		43 |
		44 |     actions   = ["kms:*"]
		45 |     resources = ["*"]
		46 |   }
		47 |
		48 |   statement {
		49 |     sid    = "AllowS3ToUseKeyForQueueNotifications"
		50 |     effect = "Allow"
		51 |
		52 |     principals {
		53 |       type        = "Service"
		54 |       identifiers = ["s3.amazonaws.com"]
		55 |     }
		56 |
		57 |     actions = [
		58 |       "kms:GenerateDataKey",
		59 |       "kms:Decrypt",
		60 |     ]
		61 |
		62 |     resources = ["*"]
		63 |
		64 |     condition {
		65 |       test     = "StringEquals"
		66 |       variable = "aws:SourceAccount"
		67 |       values   = [data.aws_caller_identity.current.account_id]
		68 |     }
		69 |   }
		70 | }

Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.postgres_dms_kms
	File: /dms.tf:352-390
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		352 | data "aws_iam_policy_document" "postgres_dms_kms" {
		353 |   count = local.is-development ? 1 : 0
		354 |
		355 |   statement {
		356 |     sid    = "AllowAccountRootFullAccess"
		357 |     effect = "Allow"
		358 |
		359 |     principals {
		360 |       type        = "AWS"
		361 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		362 |     }
		363 |
		364 |     actions   = ["kms:*"]
		365 |     resources = ["*"]
		366 |   }
		367 |
		368 |   statement {
		369 |     sid    = "AllowS3ToUseKeyForQueueNotifications"
		370 |     effect = "Allow"
		371 |
		372 |     principals {
		373 |       type        = "Service"
		374 |       identifiers = ["s3.amazonaws.com"]
		375 |     }
		376 |
		377 |     actions = [
		378 |       "kms:GenerateDataKey",
		379 |       "kms:Decrypt",
		380 |     ]
		381 |
		382 |     resources = ["*"]
		383 |
		384 |     condition {
		385 |       test     = "StringEquals"
		386 |       variable = "aws:SourceAccount"
		387 |       values   = [data.aws_caller_identity.current.account_id]
		388 |     }
		389 |   }
		390 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.postgres_dms_kms
	File: /dms.tf:352-390
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		352 | data "aws_iam_policy_document" "postgres_dms_kms" {
		353 |   count = local.is-development ? 1 : 0
		354 |
		355 |   statement {
		356 |     sid    = "AllowAccountRootFullAccess"
		357 |     effect = "Allow"
		358 |
		359 |     principals {
		360 |       type        = "AWS"
		361 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		362 |     }
		363 |
		364 |     actions   = ["kms:*"]
		365 |     resources = ["*"]
		366 |   }
		367 |
		368 |   statement {
		369 |     sid    = "AllowS3ToUseKeyForQueueNotifications"
		370 |     effect = "Allow"
		371 |
		372 |     principals {
		373 |       type        = "Service"
		374 |       identifiers = ["s3.amazonaws.com"]
		375 |     }
		376 |
		377 |     actions = [
		378 |       "kms:GenerateDataKey",
		379 |       "kms:Decrypt",
		380 |     ]
		381 |
		382 |     resources = ["*"]
		383 |
		384 |     condition {
		385 |       test     = "StringEquals"
		386 |       variable = "aws:SourceAccount"
		387 |       values   = [data.aws_caller_identity.current.account_id]
		388 |     }
		389 |   }
		390 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.postgres_dms_kms
	File: /dms.tf:352-390
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		352 | data "aws_iam_policy_document" "postgres_dms_kms" {
		353 |   count = local.is-development ? 1 : 0
		354 |
		355 |   statement {
		356 |     sid    = "AllowAccountRootFullAccess"
		357 |     effect = "Allow"
		358 |
		359 |     principals {
		360 |       type        = "AWS"
		361 |       identifiers = ["arn:aws:iam::${data.aws_caller_identity.current.account_id}:root"]
		362 |     }
		363 |
		364 |     actions   = ["kms:*"]
		365 |     resources = ["*"]
		366 |   }
		367 |
		368 |   statement {
		369 |     sid    = "AllowS3ToUseKeyForQueueNotifications"
		370 |     effect = "Allow"
		371 |
		372 |     principals {
		373 |       type        = "Service"
		374 |       identifiers = ["s3.amazonaws.com"]
		375 |     }
		376 |
		377 |     actions = [
		378 |       "kms:GenerateDataKey",
		379 |       "kms:Decrypt",
		380 |     ]
		381 |
		382 |     resources = ["*"]
		383 |
		384 |     condition {
		385 |       test     = "StringEquals"
		386 |       variable = "aws:SourceAccount"
		387 |       values   = [data.aws_caller_identity.current.account_id]
		388 |     }
		389 |   }
		390 | }

Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.cadet_role.aws_iam_policy_document.cadet_policy
	File: /modules/cadet-role/main.tf:21-49
	Calling File: /airflow.tf:5-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		21 | data "aws_iam_policy_document" "cadet_policy" {
		22 |   statement {
		23 |     effect = "Allow"
		24 |     actions = [
		25 |       "lakeformation:*",
		26 |     ]
		27 |     resources = ["*"]
		28 |   }
		29 |
		30 |   statement {
		31 |     effect = "Allow"
		32 |     actions = [
		33 |       "glue:GetTable",
		34 |       "glue:GetDatabase",
		35 |       "glue:GetDatabases",
		36 |       "glue:CreateTable",
		37 |       "glue:DeleteTable",
		38 |       "glue:CreateDatabase",
		39 |       "glue:DeleteDatabase",
		40 |       "glue:UpdateTable",
		41 |       "glue:CreatePartition",
		42 |       "glue:BatchCreatePartition",
		43 |       "glue:UpdatePartition",
		44 |       "glue:GetPartition",
		45 |       "glue:GetPartitions",
		46 |     ]
		47 |     resources = ["*"]
		48 |   }
		49 | }

Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.cadet_role.aws_iam_policy_document.cadet_policy
	File: /modules/cadet-role/main.tf:21-49
	Calling File: /airflow.tf:5-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		21 | data "aws_iam_policy_document" "cadet_policy" {
		22 |   statement {
		23 |     effect = "Allow"
		24 |     actions = [
		25 |       "lakeformation:*",
		26 |     ]
		27 |     resources = ["*"]
		28 |   }
		29 |
		30 |   statement {
		31 |     effect = "Allow"
		32 |     actions = [
		33 |       "glue:GetTable",
		34 |       "glue:GetDatabase",
		35 |       "glue:GetDatabases",
		36 |       "glue:CreateTable",
		37 |       "glue:DeleteTable",
		38 |       "glue:CreateDatabase",
		39 |       "glue:DeleteDatabase",
		40 |       "glue:UpdateTable",
		41 |       "glue:CreatePartition",
		42 |       "glue:BatchCreatePartition",
		43 |       "glue:UpdatePartition",
		44 |       "glue:GetPartition",
		45 |       "glue:GetPartitions",
		46 |     ]
		47 |     resources = ["*"]
		48 |   }
		49 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.fabric_tenant_id
	File: /secrets.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		1 | resource "aws_secretsmanager_secret" "fabric_tenant_id" {
		2 |   name = "data-factory-laa-${local.environment}/fabric-tenant-id"
		3 |   tags = local.tags
		4 | }

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.fabric_enterprise_app_object_id
	File: /secrets.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		6 | resource "aws_secretsmanager_secret" "fabric_enterprise_app_object_id" {
		7 |   name = "data-factory-laa-${local.environment}/fabric-enterprise-app-object-id"
		8 |   tags = local.tags
		9 | }
Check: CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
	FAILED for resource: aws_s3_bucket.dms_config
	File: /dms.tf:98-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/s3-policies/s3-13-enable-logging

		98  | resource "aws_s3_bucket" "dms_config" {
		99  |   count  = local.is-development ? 1 : 0
		100 |   bucket = "${local.application_name}-${local.environment}-dms-config"
		101 |   tags   = local.tags
		102 | }

Check: CKV2_AWS_64: "Ensure KMS key Policy is defined"
	FAILED for resource: aws_kms_key.data_lake_kms_key
	File: /data-lake.tf:34-37
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-2-64

		34 | resource "aws_kms_key" "data_lake_kms_key" {
		35 |   description             = "KMS key for encrypting data in the data lake"
		36 |   deletion_window_in_days = 10
		37 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.dms_slack_webhook
	File: /dms.tf:149-153
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		149 | resource "aws_secretsmanager_secret" "dms_slack_webhook" {
		150 |   count = local.is-development ? 1 : 0
		151 |   name  = "${local.application_name}-${local.environment}/dms/slack-webhook"
		152 |   tags  = local.tags
		153 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.fabric_tenant_id
	File: /secrets.tf:1-4
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		1 | resource "aws_secretsmanager_secret" "fabric_tenant_id" {
		2 |   name = "data-factory-laa-${local.environment}/fabric-tenant-id"
		3 |   tags = local.tags
		4 | }

Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.fabric_enterprise_app_object_id
	File: /secrets.tf:6-9
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		6 | resource "aws_secretsmanager_secret" "fabric_enterprise_app_object_id" {
		7 |   name = "data-factory-laa-${local.environment}/fabric-enterprise-app-object-id"
		8 |   tags = local.tags
		9 | }
Check: CKV2_AWS_62: "Ensure S3 buckets should have event notifications enabled"
	FAILED for resource: aws_s3_bucket.dms_config
	File: /dms.tf:98-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-62

		98  | resource "aws_s3_bucket" "dms_config" {
		99  |   count  = local.is-development ? 1 : 0
		100 |   bucket = "${local.application_name}-${local.environment}-dms-config"
		101 |   tags   = local.tags
		102 | }

Check: CKV_AWS_144: "Ensure that S3 bucket has cross-region replication enabled"
	FAILED for resource: aws_s3_bucket.dms_config
	File: /dms.tf:98-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-bucket-has-cross-region-replication-enabled

		98  | resource "aws_s3_bucket" "dms_config" {
		99  |   count  = local.is-development ? 1 : 0
		100 |   bucket = "${local.application_name}-${local.environment}-dms-config"
		101 |   tags   = local.tags
		102 | }

Check: CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration"
	FAILED for resource: aws_s3_bucket.dms_config
	File: /dms.tf:98-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-2-61

		98  | resource "aws_s3_bucket" "dms_config" {
		99  |   count  = local.is-development ? 1 : 0
		100 |   bucket = "${local.application_name}-${local.environment}-dms-config"
		101 |   tags   = local.tags
		102 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
	FAILED for resource: aws_s3_bucket.dms_config
	File: /dms.tf:98-102
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

		98  | resource "aws_s3_bucket" "dms_config" {
		99  |   count  = local.is-development ? 1 : 0
		100 |   bucket = "${local.application_name}-${local.environment}-dms-config"
		101 |   tags   = local.tags
		102 | }


checkov_exitcode=1

---

TFLint Scan Success

Show Output

*****************************

Using default config
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint checking:
terraform/environments/data-factory-laa

*****************************

Running tflint in terraform/environments/data-factory-laa
tflint_exitcode=0