Add standalone RDS Replica module by Copilot · Pull Request #102 · llamandcoco/infra-modules

Copilot · 2026-02-22T06:38:57Z

New module for creating a standalone AWS RDS read replica from an existing primary instance, decoupled from the primary RDS module.

Type of Change

Checklist

CI checks passed (terraform validate / tflint / trivy / terraform-docs)
No breaking changes, or breaking changes are documented

Module Information

Module Path: terraform/aws/rds-replica

Purpose:
Creates a read replica of an existing RDS instance. Useful when you want to add replicas to a primary instance managed separately (e.g., provisioned by another team, or outside Terraform).

Key Resources:

aws_db_instance — replica instance via replicate_source_db
aws_security_group — optional, dedicated SG for the replica
aws_vpc_security_group_ingress_rule / aws_vpc_security_group_egress_rule — configurable ingress from SGs or CIDRs

module "rds_replica" {
  source = "github.com/llamandcoco/infra-modules//terraform/aws/rds-replica?ref=<commit-sha>"

  identifier                    = "myapp-db-replica"
  source_db_instance_identifier = "myapp-db"
  instance_class                = "db.t3.micro"

  vpc_id = var.vpc_id
}

Additional Notes

Storage encryption is always enforced (storage_encrypted = true); replicas cannot disable encryption inherited from source.
Preconditions guard against misconfiguration: monitoring_role_arn required when monitoring_interval > 0; port required when SG ingress rules are configured.
Instance sizing (compute, storage type, IOPS, throughput) is independently configurable from the source.
Mock-provider test in tests/basic/ validates terraform plan without AWS credentials.

Related Issues

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

checkpoint-api.hashicorp.com
- Triggering command: /usr/local/bin/terraform terraform version (dns block)
- Triggering command: /usr/local/bin/terraform terraform fmt -recursive terraform/aws/rds-replica/ (dns block)
- Triggering command: /usr/local/bin/terraform terraform init -backend=false (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Configure Actions setup steps to set up my environment, which run before the firewall is enabled
Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

Co-authored-by: llama90 <6668548+llama90@users.noreply.github.com>

github-actions · 2026-02-22T18:22:49Z

🔍 Terraform Check Results

📊 Summary

✅ All checks passed!

Check	Status	Issues	Scope
🖌 Format	✅ success	-	All modules
🤖 Validate	✅ success	-	All modules
🔍 TFLint	✅ success	0 issue(s)	`terraform`
🔒 Trivy	✅ success	0 critical, 0 high, 31 medium	`terraform`

🔍 TFLint Details (0 issue(s))

Running TFLint on changed modules:
terraform

=== Checking terraform ===

🔒 Trivy Security Details (31 issue(s))

Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌───────────────────────────────────────────────────────┬───────────┬───────────────────┐
│                        Target                         │   Type    │ Misconfigurations │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb-target-group/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb-target-group/tests/with_listener_rule         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/host_based                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/https                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/multi_target                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/path_based                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq-rabbitmq/tests/basic                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq/main.tf                                  │ terraform │         3         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ami/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/api-gateway/main.tf                               │ terraform │         6         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/api-gateway/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-instance-profile           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-step-scaling               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-warm-pool                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/aws-lb-controller-role/tests/basic                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/tests/advanced                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/main.tf                                │ terraform │         5         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/alb_origin                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/lambda_edge                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/multi_origin                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/s3_oac                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudtrail/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-alarm/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/custom-metrics         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/pipeline               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/main.tf                                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/basic                             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/custom_compute                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/with_pipeline                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/ec2                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/ecs                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/lambda                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codepipeline/main.tf                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codepipeline/tests/basic                          │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/dynamodb/tests/advanced                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/dynamodb/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/spot_instance                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/user_data                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/with_ebs                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/with_eip                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecr/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecr/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/tests/with_capacity_providers         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-execution-role/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-execution-role/tests/with_additional_policies │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/tests/with_autoscaling                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-task-role/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-task-role/tests/with_policies                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-app-deployment/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-lb-controller/tests/basic                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-node-role/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/elasticache/tests/advanced                        │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/elasticache/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/basic/main.tf                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/cross_account                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/cross_account/main.tf           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/pattern                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/scheduled                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/scheduled/main.tf               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy-attachment/tests/basic           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/main.tf                          │ terraform │         2         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/tests/advanced                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/main.tf                                 │ terraform │         2         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/tests/advanced                          │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/tests/basic                             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-policy/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-policy/tests/with_policy_document             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user-group-membership/tests/basic             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user-group-membership/tests/multiple-groups   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/main.tf                                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/tests/advanced                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/instance-profile/tests/advanced                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/instance-profile/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/internet-gateway/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/key-pair/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/main.tf                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/event-source-mapping                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/go                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/python                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/typescript                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/launch-template/tests/advanced                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/launch-template/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/managed-prefix-list/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/nat-gateway/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/parameter-store/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-option-group/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-parameter-group/tests/advanced                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-parameter-group/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-replica/main.tf                               │ terraform │         2         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-replica/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/tests/advanced                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/route-table/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/s3/main.tf                                        │ terraform │         1         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/s3/tests/basic                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/scp/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/secrets-manager/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-group/main.tf                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-group/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-groups/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/sns/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/sqs/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/audit-logging/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/no-nat                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/single-nat                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/subnet/main.tf                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/subnet/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/main.tf                                       │ terraform │        10         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/tests/no_default_nacl                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                                   │ terraform │         0         │
└───────────────────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


aws/amazonmq/main.tf (terraform)
================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (MEDIUM: 3, HIGH: 0, CRITICAL: 0)

AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:177-203 (module.test_activemq_minimal)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────


AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:144-174 (module.test_activemq_with_external_config)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────


AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:60-96 (module.test_rabbitmq_cluster)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────



aws/api-gateway/main.tf (terraform)
===================================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



aws/cloudfront/main.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



aws/iam-group-policy/main.tf (terraform)
========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group-policy/main.tf:176-186
   via aws/iam-group-policy/tests/advanced/main.tf:23-71 (module.iam_group_policy)
────────────────────────────────────────
 176 ┌ resource "aws_iam_group" "this" {
 177 │   name = var.name
 178 │   path = var.path
 179 │ 
 180 │   lifecycle {
 181 │     precondition {
 182 │       condition     = length(local.all_inline_policies) <= 10
 183 │       error_message = "IAM groups support at most 10 inline policies. Reduce built-in policy toggles or custom_policy_statements."
 184 └     }
 ...   
────────────────────────────────────────


AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group-policy/main.tf:176-186
   via aws/iam-group-policy/tests/basic/main.tf:23-32 (module.iam_group_policy)
────────────────────────────────────────
 176 ┌ resource "aws_iam_group" "this" {
 177 │   name = var.name
 178 │   path = var.path
 179 │ 
 180 │   lifecycle {
 181 │     precondition {
 182 │       condition     = length(local.all_inline_policies) <= 10
 183 │       error_message = "IAM groups support at most 10 inline policies. Reduce built-in policy toggles or custom_policy_statements."
 184 └     }
 ...   
────────────────────────────────────────



aws/iam-group/main.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group/main.tf:16-19
   via aws/iam-group/tests/advanced/main.tf:40-85 (module.iam_group)
────────────────────────────────────────
  16 ┌ resource "aws_iam_group" "this" {
  17 │   name = var.name
  18 │   path = var.path
  19 └ }
────────────────────────────────────────


AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group/main.tf:16-19
   via aws/iam-group/tests/basic/main.tf:26-34 (module.iam_group)
────────────────────────────────────────
  16 ┌ resource "aws_iam_group" "this" {
  17 │   name = var.name
  18 │   path = var.path
  19 └ }
────────────────────────────────────────



aws/rds-replica/main.tf (terraform)
===================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

AVD-AWS-0077 (MEDIUM): Instance has very low backup retention period.
════════════════════════════════════════
RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.


See https://avd.aquasec.com/misconfig/avd-aws-0077
────────────────────────────────────────
 aws/rds-replica/main.tf:88-154
   via aws/rds-replica/tests/basic/main.tf:25-48 (module.test_rds_replica)
────────────────────────────────────────
  88 ┌ resource "aws_db_instance" "this" {
  89 │   identifier = var.identifier
  90 │ 
  91 │   # Replica source
  92 │   replicate_source_db = var.source_db_instance_identifier
  93 │ 
  94 │   # Compute
  95 │   instance_class = var.instance_class
  96 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0177 (MEDIUM): Instance does not have Deletion Protection enabled
════════════════════════════════════════
Ensure deletion protection is enabled for RDS database instances.

See https://avd.aquasec.com/misconfig/avd-aws-0177
────────────────────────────────────────
 aws/rds-replica/main.tf:123
   via aws/rds-replica/main.tf:88-154 (aws_db_instance.this)
    via aws/rds-replica/tests/basic/main.tf:25-48 (module.test_rds_replica)
────────────────────────────────────────
  88   resource "aws_db_instance" "this" {
  ..   
 123 [   deletion_protection        = var.deletion_protection
 ...   
 154   }
────────────────────────────────────────



aws/s3/main.tf (terraform)
==========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 aws/s3/main.tf:33
   via aws/s3/main.tf:32-34 (versioning_configuration)
    via aws/s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via aws/s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



aws/vpc/main.tf (terraform)
===========================
Tests: 10 (SUCCESSES: 0, FAILURES: 10)
Failures: 10 (MEDIUM: 10, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/vpc/tests/no_default_nacl/main.tf:23-39 (module.test_vpc_no_default_nacl)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/internet-gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/nat-gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/route-table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/security-group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

_{👤 Pusher: @Copilot | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check}

github-actions · 2026-02-22T18:25:57Z

🔍 Terraform Check Results

📊 Summary

✅ All checks passed!

Check	Status	Issues	Scope
🖌 Format	✅ success	-	All modules
🤖 Validate	✅ success	-	All modules
🔍 TFLint	✅ success	0 issue(s)	`terraform`
🔒 Trivy	✅ success	0 critical, 0 high, 31 medium	`terraform`

🔍 TFLint Details (0 issue(s))

Running TFLint on changed modules:
terraform

=== Checking terraform ===

🔒 Trivy Security Details (31 issue(s))

Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌───────────────────────────────────────────────────────┬───────────┬───────────────────┐
│                        Target                         │   Type    │ Misconfigurations │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb-target-group/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb-target-group/tests/with_listener_rule         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/host_based                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/https                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/multi_target                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/path_based                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq-rabbitmq/tests/basic                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq/main.tf                                  │ terraform │         3         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ami/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/api-gateway/main.tf                               │ terraform │         6         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/api-gateway/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-instance-profile           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-step-scaling               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-warm-pool                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/aws-lb-controller-role/tests/basic                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/tests/advanced                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/main.tf                                │ terraform │         5         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/alb_origin                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/lambda_edge                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/multi_origin                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/s3_oac                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudtrail/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-alarm/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/custom-metrics         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/pipeline               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/main.tf                                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/basic                             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/custom_compute                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/with_pipeline                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/ec2                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/ecs                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/lambda                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codepipeline/main.tf                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codepipeline/tests/basic                          │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/dynamodb/tests/advanced                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/dynamodb/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/spot_instance                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/user_data                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/with_ebs                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/with_eip                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecr/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecr/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/tests/with_capacity_providers         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-execution-role/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-execution-role/tests/with_additional_policies │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/tests/with_autoscaling                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-task-role/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-task-role/tests/with_policies                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-app-deployment/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-lb-controller/tests/basic                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-node-role/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/elasticache/tests/advanced                        │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/elasticache/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/basic/main.tf                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/cross_account                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/cross_account/main.tf           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/pattern                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/scheduled                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/scheduled/main.tf               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy-attachment/tests/basic           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/main.tf                          │ terraform │         2         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/tests/advanced                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/main.tf                                 │ terraform │         2         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/tests/advanced                          │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/tests/basic                             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-policy/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-policy/tests/with_policy_document             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user-group-membership/tests/basic             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user-group-membership/tests/multiple-groups   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/main.tf                                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/tests/advanced                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/instance-profile/tests/advanced                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/instance-profile/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/internet-gateway/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/key-pair/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/main.tf                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/event-source-mapping                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/go                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/python                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/typescript                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/launch-template/tests/advanced                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/launch-template/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/managed-prefix-list/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/nat-gateway/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/parameter-store/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-option-group/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-parameter-group/tests/advanced                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-parameter-group/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-replica/main.tf                               │ terraform │         2         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-replica/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/tests/advanced                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/route-table/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/s3/main.tf                                        │ terraform │         1         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/s3/tests/basic                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/scp/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/secrets-manager/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-group/main.tf                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-group/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-groups/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/sns/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/sqs/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/audit-logging/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/no-nat                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/single-nat                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/subnet/main.tf                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/subnet/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/main.tf                                       │ terraform │        10         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/tests/no_default_nacl                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                                   │ terraform │         0         │
└───────────────────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


aws/amazonmq/main.tf (terraform)
================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (MEDIUM: 3, HIGH: 0, CRITICAL: 0)

AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:177-203 (module.test_activemq_minimal)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────


AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:144-174 (module.test_activemq_with_external_config)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────


AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:60-96 (module.test_rabbitmq_cluster)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────



aws/api-gateway/main.tf (terraform)
===================================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



aws/cloudfront/main.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



aws/iam-group-policy/main.tf (terraform)
========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group-policy/main.tf:176-186
   via aws/iam-group-policy/tests/advanced/main.tf:23-71 (module.iam_group_policy)
────────────────────────────────────────
 176 ┌ resource "aws_iam_group" "this" {
 177 │   name = var.name
 178 │   path = var.path
 179 │ 
 180 │   lifecycle {
 181 │     precondition {
 182 │       condition     = length(local.all_inline_policies) <= 10
 183 │       error_message = "IAM groups support at most 10 inline policies. Reduce built-in policy toggles or custom_policy_statements."
 184 └     }
 ...   
────────────────────────────────────────


AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group-policy/main.tf:176-186
   via aws/iam-group-policy/tests/basic/main.tf:23-32 (module.iam_group_policy)
────────────────────────────────────────
 176 ┌ resource "aws_iam_group" "this" {
 177 │   name = var.name
 178 │   path = var.path
 179 │ 
 180 │   lifecycle {
 181 │     precondition {
 182 │       condition     = length(local.all_inline_policies) <= 10
 183 │       error_message = "IAM groups support at most 10 inline policies. Reduce built-in policy toggles or custom_policy_statements."
 184 └     }
 ...   
────────────────────────────────────────



aws/iam-group/main.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group/main.tf:16-19
   via aws/iam-group/tests/advanced/main.tf:40-85 (module.iam_group)
────────────────────────────────────────
  16 ┌ resource "aws_iam_group" "this" {
  17 │   name = var.name
  18 │   path = var.path
  19 └ }
────────────────────────────────────────


AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group/main.tf:16-19
   via aws/iam-group/tests/basic/main.tf:26-34 (module.iam_group)
────────────────────────────────────────
  16 ┌ resource "aws_iam_group" "this" {
  17 │   name = var.name
  18 │   path = var.path
  19 └ }
────────────────────────────────────────



aws/rds-replica/main.tf (terraform)
===================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

AVD-AWS-0077 (MEDIUM): Instance has very low backup retention period.
════════════════════════════════════════
RDS backup retention for clusters defaults to 1 day, this may not be enough to identify and respond to an issue. Backup retention periods should be set to a period that is a balance on cost and limiting risk.


See https://avd.aquasec.com/misconfig/avd-aws-0077
────────────────────────────────────────
 aws/rds-replica/main.tf:88-170
   via aws/rds-replica/tests/basic/main.tf:25-48 (module.test_rds_replica)
────────────────────────────────────────
  88 ┌ resource "aws_db_instance" "this" {
  89 │   identifier = var.identifier
  90 │ 
  91 │   # Replica source
  92 │   replicate_source_db = var.source_db_instance_identifier
  93 │ 
  94 │   # Compute
  95 │   instance_class = var.instance_class
  96 └ 
  ..   
────────────────────────────────────────


AVD-AWS-0177 (MEDIUM): Instance does not have Deletion Protection enabled
════════════════════════════════════════
Ensure deletion protection is enabled for RDS database instances.

See https://avd.aquasec.com/misconfig/avd-aws-0177
────────────────────────────────────────
 aws/rds-replica/main.tf:123
   via aws/rds-replica/main.tf:88-170 (aws_db_instance.this)
    via aws/rds-replica/tests/basic/main.tf:25-48 (module.test_rds_replica)
────────────────────────────────────────
  88   resource "aws_db_instance" "this" {
  ..   
 123 [   deletion_protection        = var.deletion_protection
 ...   
 170   }
────────────────────────────────────────



aws/s3/main.tf (terraform)
==========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 aws/s3/main.tf:33
   via aws/s3/main.tf:32-34 (versioning_configuration)
    via aws/s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via aws/s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



aws/vpc/main.tf (terraform)
===========================
Tests: 10 (SUCCESSES: 0, FAILURES: 10)
Failures: 10 (MEDIUM: 10, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/vpc/tests/no_default_nacl/main.tf:23-39 (module.test_vpc_no_default_nacl)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/internet-gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/nat-gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/route-table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/security-group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

_{👤 Pusher: @llama90 | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check}

github-actions · 2026-02-22T18:29:25Z

🔍 Terraform Check Results

📊 Summary

✅ All checks passed!

Check	Status	Issues	Scope
🖌 Format	✅ success	-	All modules
🤖 Validate	✅ success	-	All modules
🔍 TFLint	✅ success	0 issue(s)	`terraform`
🔒 Trivy	✅ success	0 critical, 0 high, 29 medium	`terraform`

🔍 TFLint Details (0 issue(s))

Running TFLint on changed modules:
terraform

=== Checking terraform ===

🔒 Trivy Security Details (29 issue(s))

Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌───────────────────────────────────────────────────────┬───────────┬───────────────────┐
│                        Target                         │   Type    │ Misconfigurations │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb-target-group/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb-target-group/tests/with_listener_rule         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/host_based                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/https                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/multi_target                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/alb/tests/path_based                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq-rabbitmq/tests/basic                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq/main.tf                                  │ terraform │         3         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/amazonmq/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ami/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/api-gateway/main.tf                               │ terraform │         6         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/api-gateway/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-instance-profile           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-step-scaling               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/autoscaling/tests/with-warm-pool                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/aws-lb-controller-role/tests/basic                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/tests/advanced                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/bedrock/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/main.tf                                │ terraform │         5         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/alb_origin                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/lambda_edge                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/multi_origin                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudfront/tests/s3_oac                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudtrail/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-alarm/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/custom-metrics         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/cloudwatch-dashboard/tests/pipeline               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/main.tf                                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/basic                             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/custom_compute                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codebuild/tests/with_pipeline                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/ec2                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/ecs                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codedeploy/tests/lambda                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codepipeline/main.tf                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/codepipeline/tests/basic                          │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/dynamodb/tests/advanced                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/dynamodb/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/spot_instance                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/user_data                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/with_ebs                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ec2/tests/with_eip                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecr/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecr/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-cluster/tests/with_capacity_providers         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-execution-role/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-execution-role/tests/with_additional_policies │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-service/tests/with_autoscaling                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-task-role/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/ecs-task-role/tests/with_policies                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-app-deployment/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-lb-controller/tests/basic                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks-node-role/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eks/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/elasticache/tests/advanced                        │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/elasticache/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/basic/main.tf                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/cross_account                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/cross_account/main.tf           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/pattern                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/scheduled                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/eventbridge/tests/scheduled/main.tf               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy-attachment/tests/basic           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/main.tf                          │ terraform │         2         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/tests/advanced                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group-policy/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/main.tf                                 │ terraform │         2         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/tests/advanced                          │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-group/tests/basic                             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-policy/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-policy/tests/with_policy_document             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user-group-membership/tests/basic             │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user-group-membership/tests/multiple-groups   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/main.tf                                  │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/tests/advanced                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/iam-user/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/instance-profile/tests/advanced                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/instance-profile/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/internet-gateway/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/key-pair/tests/basic                              │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/main.tf                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/event-source-mapping                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/go                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/python                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/lambda/tests/typescript                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/launch-template/tests/advanced                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/launch-template/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/managed-prefix-list/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/nat-gateway/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/parameter-store/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-option-group/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-parameter-group/tests/advanced                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-parameter-group/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-replica/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds-replica/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/tests/advanced                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/rds/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/route-table/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/s3/main.tf                                        │ terraform │         1         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/s3/tests/basic                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/scp/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/secrets-manager/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-group/main.tf                            │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-group/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/security-groups/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/sns/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/sqs/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/audit-logging/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/basic                      │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/no-nat                     │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/stack/networking/tests/single-nat                 │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/subnet/main.tf                                    │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/subnet/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/main.tf                                       │ terraform │        10         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/tests/basic                                   │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ aws/vpc/tests/no_default_nacl                         │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf                           │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                                       │ terraform │         0         │
├───────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                                   │ terraform │         0         │
└───────────────────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


aws/amazonmq/main.tf (terraform)
================================
Tests: 3 (SUCCESSES: 0, FAILURES: 3)
Failures: 3 (MEDIUM: 3, HIGH: 0, CRITICAL: 0)

AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:177-203 (module.test_activemq_minimal)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────


AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:144-174 (module.test_activemq_with_external_config)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────


AVD-AWS-0070 (MEDIUM): Broker does not have audit logging enabled.
════════════════════════════════════════
Logging should be enabled to allow tracing of issues and activity to be investigated more fully. Logs provide additional information and context which is often invalauble during investigation


See https://avd.aquasec.com/misconfig/avd-aws-0070
────────────────────────────────────────
 aws/amazonmq/main.tf:118
   via aws/amazonmq/main.tf:116-119 (logs)
    via aws/amazonmq/main.tf:14-143 (aws_mq_broker.this)
     via aws/amazonmq/tests/basic/main.tf:60-96 (module.test_rabbitmq_cluster)
────────────────────────────────────────
  14   resource "aws_mq_broker" "this" {
  ..   
 118 [     audit   = var.enable_audit_log
 ...   
 143   }
────────────────────────────────────────



aws/api-gateway/main.tf (terraform)
===================================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 aws/api-gateway/main.tf:315-346
   via aws/api-gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



aws/cloudfront/main.tf (terraform)
==================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 aws/cloudfront/main.tf:56-312
   via aws/cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



aws/iam-group-policy/main.tf (terraform)
========================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group-policy/main.tf:176-186
   via aws/iam-group-policy/tests/advanced/main.tf:23-71 (module.iam_group_policy)
────────────────────────────────────────
 176 ┌ resource "aws_iam_group" "this" {
 177 │   name = var.name
 178 │   path = var.path
 179 │ 
 180 │   lifecycle {
 181 │     precondition {
 182 │       condition     = length(local.all_inline_policies) <= 10
 183 │       error_message = "IAM groups support at most 10 inline policies. Reduce built-in policy toggles or custom_policy_statements."
 184 └     }
 ...   
────────────────────────────────────────


AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group-policy/main.tf:176-186
   via aws/iam-group-policy/tests/basic/main.tf:23-32 (module.iam_group_policy)
────────────────────────────────────────
 176 ┌ resource "aws_iam_group" "this" {
 177 │   name = var.name
 178 │   path = var.path
 179 │ 
 180 │   lifecycle {
 181 │     precondition {
 182 │       condition     = length(local.all_inline_policies) <= 10
 183 │       error_message = "IAM groups support at most 10 inline policies. Reduce built-in policy toggles or custom_policy_statements."
 184 └     }
 ...   
────────────────────────────────────────



aws/iam-group/main.tf (terraform)
=================================
Tests: 2 (SUCCESSES: 0, FAILURES: 2)
Failures: 2 (MEDIUM: 2, HIGH: 0, CRITICAL: 0)

AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group/main.tf:16-19
   via aws/iam-group/tests/advanced/main.tf:40-85 (module.iam_group)
────────────────────────────────────────
  16 ┌ resource "aws_iam_group" "this" {
  17 │   name = var.name
  18 │   path = var.path
  19 └ }
────────────────────────────────────────


AVD-AWS-0123 (MEDIUM): Multi-Factor authentication is not enforced for group
════════════════════════════════════════
IAM groups should be protected with multi factor authentication to add safe guards to password compromise.


See https://avd.aquasec.com/misconfig/aws-iam-enforce-mfa
────────────────────────────────────────
 aws/iam-group/main.tf:16-19
   via aws/iam-group/tests/basic/main.tf:26-34 (module.iam_group)
────────────────────────────────────────
  16 ┌ resource "aws_iam_group" "this" {
  17 │   name = var.name
  18 │   path = var.path
  19 └ }
────────────────────────────────────────



aws/s3/main.tf (terraform)
==========================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 aws/s3/main.tf:33
   via aws/s3/main.tf:32-34 (versioning_configuration)
    via aws/s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via aws/s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



aws/vpc/main.tf (terraform)
===========================
Tests: 10 (SUCCESSES: 0, FAILURES: 10)
Failures: 10 (MEDIUM: 10, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/stack/networking/main.tf:47-61 (module.vpc)
    via aws/stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/vpc/tests/no_default_nacl/main.tf:23-39 (module.test_vpc_no_default_nacl)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/internet-gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/nat-gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/route-table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/security-group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 aws/vpc/main.tf:12-26
   via aws/subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

_{👤 Pusher: @llama90 | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check}

Initial plan

0aa756a

Copilot AI assigned Copilot and llama90 Feb 22, 2026

Copilot started work on behalf of llama90 February 22, 2026 06:39 View session

Add RDS Replica module with tests and documentation

3fdd8fa

Co-authored-by: llama90 <6668548+llama90@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add RDS Replica module~~ Add standalone RDS Replica module Feb 22, 2026

Copilot AI requested a review from llama90 February 22, 2026 06:46

Copilot finished work on behalf of llama90 February 22, 2026 06:46

llama90 marked this pull request as ready for review February 22, 2026 18:20

fix(rds-replica): harden defaults and input validation

9eb6d91

fix(rds-replica): satisfy backup and deletion protection checks

6f41ea9

llama90 merged commit 71a5c6e into main Feb 22, 2026
5 checks passed

llama90 deleted the copilot/add-rds-replica-module branch February 22, 2026 18:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add standalone RDS Replica module#102

Add standalone RDS Replica module#102
llama90 merged 4 commits intomainfrom
copilot/add-rds-replica-module

Copilot AI commented Feb 22, 2026 •

edited

Loading

Uh oh!

github-actions bot commented Feb 22, 2026

Uh oh!

github-actions bot commented Feb 22, 2026

Uh oh!

github-actions bot commented Feb 22, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

Copilot AI commented Feb 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Type of Change

Checklist

Module Information

Additional Notes

Related Issues

I tried to connect to the following addresses, but was blocked by firewall rules:

Uh oh!

github-actions bot commented Feb 22, 2026

🔍 Terraform Check Results

📊 Summary

Uh oh!

github-actions bot commented Feb 22, 2026

🔍 Terraform Check Results

📊 Summary

Uh oh!

github-actions bot commented Feb 22, 2026

🔍 Terraform Check Results

📊 Summary

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Copilot AI commented Feb 22, 2026 •

edited

Loading