Skip to content

Add AWS Bedrock Knowledge Base Terraform module#38

Open
llama90 wants to merge 4 commits intomainfrom
claude/bedrock-knowledge-base-module-DwHM7
Open

Add AWS Bedrock Knowledge Base Terraform module#38
llama90 wants to merge 4 commits intomainfrom
claude/bedrock-knowledge-base-module-DwHM7

Conversation

@llama90
Copy link
Contributor

@llama90 llama90 commented Dec 21, 2025

This module provides production-ready configuration for Amazon Bedrock Knowledge Bases with vector database integration for RAG (Retrieval-Augmented Generation):

  • Knowledge base creation with vector embeddings
  • Multiple storage backends: OpenSearch Serverless, RDS (Aurora PostgreSQL), Pinecone
  • S3 data source integration with automatic ingestion
  • Customizable chunking strategies (fixed-size or none)
  • Support for multiple embedding models (Amazon Titan, Cohere)
  • Automatic IAM role and policy management
  • Document filtering with S3 inclusion prefixes

Features:

  • OpenSearch Serverless configuration with custom field mappings
  • RDS Aurora PostgreSQL with pgvector support
  • Pinecone integration for external vector databases
  • Fixed-size chunking with configurable tokens and overlap
  • Data deletion policies for compliance
  • Comprehensive outputs including CLI and Python examples

Includes:

  • Complete module implementation (main.tf, variables.tf, outputs.tf)
  • Basic test: Simple knowledge base with OpenSearch Serverless
  • Advanced test: Full production setup with custom chunking and filtering
  • Comprehensive documentation with RAG patterns and best practices

Type of Change

  • New module
  • Module enhancement
  • Bug fix
  • Docs / tooling only
  • Other (please describe):

Checklist

  • CI checks passed (terraform validate / tflint / trivy / terraform-docs)
  • No breaking changes, or breaking changes are documented

Module Information

Module Path: terraform/___________

Purpose:

Key Resources:

Additional Notes

Related Issues

Closes #

claude and others added 2 commits December 21, 2025 02:56
@claude
Add AWS Bedrock Knowledge Base Terraform module
e145aa1 
This module provides production-ready configuration for Amazon Bedrock Knowledge Bases with vector database integration for RAG (Retrieval-Augmented Generation):

- Knowledge base creation with vector embeddings
- Multiple storage backends: OpenSearch Serverless, RDS (Aurora PostgreSQL), Pinecone
- S3 data source integration with automatic ingestion
- Customizable chunking strategies (fixed-size or none)
- Support for multiple embedding models (Amazon Titan, Cohere)
- Automatic IAM role and policy management
- Document filtering with S3 inclusion prefixes

Features:
- OpenSearch Serverless configuration with custom field mappings
- RDS Aurora PostgreSQL with pgvector support
- Pinecone integration for external vector databases
- Fixed-size chunking with configurable tokens and overlap
- Data deletion policies for compliance
- Comprehensive outputs including CLI and Python examples

Includes:
- Complete module implementation (main.tf, variables.tf, outputs.tf)
- Basic test: Simple knowledge base with OpenSearch Serverless
- Advanced test: Full production setup with custom chunking and filtering
- Comprehensive documentation with RAG patterns and best practices
@github-actions
chore: auto-format terraform files
ec2f1af
@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2025

✅ Terraform formatting has been automatically applied to this PR.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2025

🔍 Terraform Check Results

📊 Summary

🔴 Some checks failed

Check Status Issues Scope
🖌 Format ✅ success - All modules
🤖 Validate ✅ success - All modules
🔍 TFLint ✅ success 0 issue(s) terraform
🔒 Trivy ❌ failure 0 critical, 11 high, 22 medium terraform
🔍 TFLint Details (0 issue(s)) 
Running TFLint on changed modules:
terraform

=== Checking terraform ===
🔒 Trivy Security Details (33 issue(s)) 
Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌───────────────────────────────────────────────┬───────────┬───────────────────┐
│                    Target                     │   Type    │ Misconfigurations │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/host_based                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/https                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/multi_target                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/path_based                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/main.tf                           │ terraform │         6         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/advanced         │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/advanced/main.tf │ terraform │         5         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/basic            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/basic/main.tf    │ terraform │         7         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/main.tf                            │ terraform │         5         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/alb_origin                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/lambda_edge                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/multi_origin                 │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/s3_oac                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudtrail/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/advanced                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/basic                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/spot_instance                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/user_data                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_ebs                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_eip                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic/main.tf               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account/main.tf       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/pattern                     │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled/main.tf           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ internet_gateway/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/main.tf                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/go                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/python                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/typescript                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ nat_gateway/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ parameter-store/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ route_table/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/main.tf                                    │ terraform │         1         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ scp/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/main.tf                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ sqs/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/audit-logging/tests/basic               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/no-nat                 │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/single-nat             │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/main.tf                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/main.tf                                   │ terraform │         9         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/tests/basic                               │ terraform │         0         │
└───────────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


api_gateway/main.tf (terraform)
===============================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



bedrock-knowledge-base/tests/advanced/main.tf (terraform)
=========================================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 0, HIGH: 5, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:57-65
────────────────────────────────────────
  57 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "documents" {
  58 │   bucket = aws_s3_bucket.documents.id
  59 │ 
  60 │   rule {
  61 │     apply_server_side_encryption_by_default {
  62 │       sse_algorithm = "AES256"
  63 │     }
  64 │   }
  65 └ }
────────────────────────────────────────



bedrock-knowledge-base/tests/basic/main.tf (terraform)
======================================================
Tests: 7 (SUCCESSES: 0, FAILURES: 7)
Failures: 7 (MEDIUM: 1, HIGH: 6, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────



cloudfront/main.tf (terraform)
==============================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



s3/main.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 s3/main.tf:33
   via s3/main.tf:32-34 (versioning_configuration)
    via s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



vpc/main.tf (terraform)
=======================
Tests: 9 (SUCCESSES: 0, FAILURES: 9)
Failures: 9 (MEDIUM: 9, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via internet_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via nat_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via route_table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via security_group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

👤 Pusher: @llama90 | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check

@claude
Fix bedrock-knowledge-base module to work without AWS credentials
e827d7c 
Remove data source dependencies that require API calls:
- Remove aws_caller_identity and aws_region data sources
- Remove IAM role condition constraints that required account_id/region
- Replace region in model ARN outputs with wildcards (*)
- Remove region and account_id outputs

This allows terraform plan to run without actual AWS credentials.
@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2025

🔍 Terraform Check Results

📊 Summary

🔴 Some checks failed

Check Status Issues Scope
🖌 Format ✅ success - All modules
🤖 Validate ✅ success - All modules
🔍 TFLint ✅ success 0 issue(s) terraform
🔒 Trivy ❌ failure 0 critical, 11 high, 22 medium terraform
🔍 TFLint Details (0 issue(s)) 
Running TFLint on changed modules:
terraform

=== Checking terraform ===
🔒 Trivy Security Details (33 issue(s)) 
Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌───────────────────────────────────────────────┬───────────┬───────────────────┐
│                    Target                     │   Type    │ Misconfigurations │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/host_based                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/https                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/multi_target                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/path_based                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/main.tf                           │ terraform │         6         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/advanced         │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/advanced/main.tf │ terraform │         5         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/basic            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/basic/main.tf    │ terraform │         7         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/main.tf                            │ terraform │         5         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/alb_origin                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/lambda_edge                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/multi_origin                 │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/s3_oac                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudtrail/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/advanced                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/basic                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/spot_instance                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/user_data                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_ebs                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_eip                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic/main.tf               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account/main.tf       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/pattern                     │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled/main.tf           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ internet_gateway/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/main.tf                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/go                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/python                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/typescript                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ nat_gateway/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ parameter-store/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ route_table/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/main.tf                                    │ terraform │         1         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ scp/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/main.tf                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ sqs/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/audit-logging/tests/basic               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/no-nat                 │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/single-nat             │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/main.tf                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/main.tf                                   │ terraform │         9         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/tests/basic                               │ terraform │         0         │
└───────────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


api_gateway/main.tf (terraform)
===============================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



bedrock-knowledge-base/tests/advanced/main.tf (terraform)
=========================================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 0, HIGH: 5, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:57-65
────────────────────────────────────────
  57 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "documents" {
  58 │   bucket = aws_s3_bucket.documents.id
  59 │ 
  60 │   rule {
  61 │     apply_server_side_encryption_by_default {
  62 │       sse_algorithm = "AES256"
  63 │     }
  64 │   }
  65 └ }
────────────────────────────────────────



bedrock-knowledge-base/tests/basic/main.tf (terraform)
======================================================
Tests: 7 (SUCCESSES: 0, FAILURES: 7)
Failures: 7 (MEDIUM: 1, HIGH: 6, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────



cloudfront/main.tf (terraform)
==============================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



s3/main.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 s3/main.tf:33
   via s3/main.tf:32-34 (versioning_configuration)
    via s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



vpc/main.tf (terraform)
=======================
Tests: 9 (SUCCESSES: 0, FAILURES: 9)
Failures: 9 (MEDIUM: 9, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via internet_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via nat_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via route_table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via security_group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

👤 Pusher: @llama90 | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check

@claude
Simplify bedrock-knowledge-base README to follow repository guidelines
153722c 
- Reduce from 483 lines to ~66 lines (ultra-minimal)
- Remove all verbose use cases and tutorials
- Remove duplicated code examples (vector databases, embedding models, etc)
- Simplify Quick Start (removed S3/OpenSearch creation)
- Add terraform-docs section with <details>
- Follow exact structure: Features, Quick Start, Examples, Testing, Docs
- Limit features to 8 items
- Reference tests/ instead of duplicating code

Follows DOCUMENTATION_GUIDELINES.md pattern like ec2 module.
@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2025

🔍 Terraform Check Results

📊 Summary

🔴 Some checks failed

Check Status Issues Scope
🖌 Format ✅ success - All modules
🤖 Validate ✅ success - All modules
🔍 TFLint ✅ success 0 issue(s) terraform
🔒 Trivy ❌ failure 0 critical, 11 high, 22 medium terraform
🔍 TFLint Details (0 issue(s)) 
Running TFLint on changed modules:
terraform

=== Checking terraform ===
🔒 Trivy Security Details (33 issue(s)) 
Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌───────────────────────────────────────────────┬───────────┬───────────────────┐
│                    Target                     │   Type    │ Misconfigurations │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                         │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/host_based                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/https                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/multi_target                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/path_based                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/main.tf                           │ terraform │         6         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/advanced         │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/advanced/main.tf │ terraform │         5         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/basic            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock-knowledge-base/tests/basic/main.tf    │ terraform │         7         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock/tests/advanced                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/main.tf                            │ terraform │         5         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/alb_origin                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/lambda_edge                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/multi_origin                 │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/s3_oac                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudtrail/tests/basic                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/advanced                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/basic                          │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/spot_instance                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/user_data                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_ebs                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_eip                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/main.tf                                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic/main.tf               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account/main.tf       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/pattern                     │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled/main.tf           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ internet_gateway/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/main.tf                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/go                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/python                           │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/typescript                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ nat_gateway/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ parameter-store/tests/basic                   │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ route_table/tests/basic                       │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/main.tf                                    │ terraform │         1         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/tests/basic                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ scp/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/main.tf                        │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/tests/basic                    │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ sqs/tests/basic                               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/audit-logging/tests/basic               │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/basic                  │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/no-nat                 │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/single-nat             │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/main.tf                                │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/tests/basic                            │ terraform │         0         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/main.tf                                   │ terraform │         9         │
├───────────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/tests/basic                               │ terraform │         0         │
└───────────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


api_gateway/main.tf (terraform)
===============================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



bedrock-knowledge-base/tests/advanced/main.tf (terraform)
=========================================================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 0, HIGH: 5, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:44-46
────────────────────────────────────────
  44 ┌ resource "aws_s3_bucket" "documents" {
  45 │   bucket = "advanced-kb-enterprise-docs"
  46 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 bedrock-knowledge-base/tests/advanced/main.tf:57-65
────────────────────────────────────────
  57 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "documents" {
  58 │   bucket = aws_s3_bucket.documents.id
  59 │ 
  60 │   rule {
  61 │     apply_server_side_encryption_by_default {
  62 │       sse_algorithm = "AES256"
  63 │     }
  64 │   }
  65 └ }
────────────────────────────────────────



bedrock-knowledge-base/tests/basic/main.tf (terraform)
======================================================
Tests: 7 (SUCCESSES: 0, FAILURES: 7)
Failures: 7 (MEDIUM: 1, HIGH: 6, CRITICAL: 0)

AVD-AWS-0086 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should block public ACLs on buckets and any objects they contain. By blocking, PUTs with fail if the object has any public ACL a.


See https://avd.aquasec.com/misconfig/avd-aws-0086
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0087 (HIGH): No public access block so not blocking public policies
════════════════════════════════════════
S3 bucket policy should have block public policy to prevent users from putting a policy that enable public access.


See https://avd.aquasec.com/misconfig/avd-aws-0087
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0088 (HIGH): Bucket does not have encryption enabled
════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.


See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0091 (HIGH): No public access block so not blocking public acls
════════════════════════════════════════
S3 buckets should ignore public ACLs on buckets and any objects they contain. By ignoring rather than blocking, PUT calls with public ACLs will still be applied but the ACL will be ignored.


See https://avd.aquasec.com/misconfig/avd-aws-0091
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0093 (HIGH): No public access block so not restricting public buckets
════════════════════════════════════════
S3 buckets should restrict public policies for the bucket. By enabling, the restrict_public_buckets, only the bucket owner and AWS Services can access if it has a public policy.


See https://avd.aquasec.com/misconfig/avd-aws-0093
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────


AVD-AWS-0132 (HIGH): Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.


See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────
 bedrock-knowledge-base/tests/basic/main.tf:37-39
────────────────────────────────────────
  37 ┌ resource "aws_s3_bucket" "documents" {
  38 │   bucket = "basic-kb-documents-bucket"
  39 └ }
────────────────────────────────────────



cloudfront/main.tf (terraform)
==============================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



s3/main.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 s3/main.tf:33
   via s3/main.tf:32-34 (versioning_configuration)
    via s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



vpc/main.tf (terraform)
=======================
Tests: 9 (SUCCESSES: 0, FAILURES: 9)
Failures: 9 (MEDIUM: 9, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via internet_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via nat_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via route_table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via security_group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

👤 Pusher: @llama90 | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@llama90 @claude