Skip to content

Add AWS Cognito Terraform module#39

Open
llama90 wants to merge 4 commits intomainfrom
claude/cognito-module-DwHM7
Open

Add AWS Cognito Terraform module#39
llama90 wants to merge 4 commits intomainfrom
claude/cognito-module-DwHM7

Conversation

@llama90
Copy link
Contributor

@llama90 llama90 commented Dec 21, 2025

This module provides production-ready configuration for AWS Cognito User Pools and Identity Pools with comprehensive authentication and authorization features:

  • User Pool with flexible sign-in options (email, phone number, username)
  • Password policy configuration with strength requirements
  • Multi-factor authentication (MFA) support (TOTP and SMS)
  • User Pool Clients for web, mobile, and server-side applications
  • OAuth 2.0 flows with hosted UI support
  • Identity Pool for providing AWS credentials to authenticated users
  • Custom user attributes for application-specific data
  • Advanced security features (adaptive authentication, compromised credentials detection)
  • Lambda triggers for custom authentication flows
  • Account recovery mechanisms
  • Device tracking and remembering

Features:

  • Multiple user pool clients with independent configurations
  • Hosted UI domain for OAuth 2.0 authentication
  • Identity pool with IAM role management for authenticated/unauthenticated users
  • Custom schema attributes for multi-tenant applications
  • Token validity configuration per client
  • Advanced security modes (audit/enforced)
  • SMS configuration with automatic IAM role creation
  • Email configuration for custom email sending
  • Deletion protection for production environments

Includes:

  • Complete module implementation (main.tf, variables.tf, outputs.tf)
  • Basic test: Simple user pool with email authentication
  • Advanced test: Full production setup with identity pool, OAuth, custom attributes
  • Comprehensive documentation with authentication patterns and SDK examples

Type of Change

  • New module
  • Module enhancement
  • Bug fix
  • Docs / tooling only
  • Other (please describe):

Checklist

  • CI checks passed (terraform validate / tflint / trivy / terraform-docs)
  • No breaking changes, or breaking changes are documented

Module Information

Module Path: terraform/___________

Purpose:

Key Resources:

Additional Notes

Related Issues

Closes #

claude and others added 2 commits December 21, 2025 03:16
@claude
Add AWS Cognito Terraform module
388391d 
This module provides production-ready configuration for AWS Cognito User Pools and Identity Pools with comprehensive authentication and authorization features:

- User Pool with flexible sign-in options (email, phone number, username)
- Password policy configuration with strength requirements
- Multi-factor authentication (MFA) support (TOTP and SMS)
- User Pool Clients for web, mobile, and server-side applications
- OAuth 2.0 flows with hosted UI support
- Identity Pool for providing AWS credentials to authenticated users
- Custom user attributes for application-specific data
- Advanced security features (adaptive authentication, compromised credentials detection)
- Lambda triggers for custom authentication flows
- Account recovery mechanisms
- Device tracking and remembering

Features:
- Multiple user pool clients with independent configurations
- Hosted UI domain for OAuth 2.0 authentication
- Identity pool with IAM role management for authenticated/unauthenticated users
- Custom schema attributes for multi-tenant applications
- Token validity configuration per client
- Advanced security modes (audit/enforced)
- SMS configuration with automatic IAM role creation
- Email configuration for custom email sending
- Deletion protection for production environments

Includes:
- Complete module implementation (main.tf, variables.tf, outputs.tf)
- Basic test: Simple user pool with email authentication
- Advanced test: Full production setup with identity pool, OAuth, custom attributes
- Comprehensive documentation with authentication patterns and SDK examples
@github-actions
chore: auto-format terraform files
acd9145
@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2025

✅ Terraform formatting has been automatically applied to this PR.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2025

🔍 Terraform Check Results

📊 Summary

All checks passed!

Check Status Issues Scope
🖌 Format ✅ success - All modules
🤖 Validate ✅ success - All modules
🔍 TFLint ✅ success 0 issue(s) terraform
🔒 Trivy ✅ success 0 critical, 0 high, 21 medium terraform
🔍 TFLint Details (0 issue(s)) 
Running TFLint on changed modules:
terraform

=== Checking terraform ===
🔒 Trivy Security Details (21 issue(s)) 
Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌─────────────────────────────────────────┬───────────┬───────────────────┐
│                 Target                  │   Type    │ Misconfigurations │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                   │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/host_based                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/https                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/multi_target                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/path_based                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/main.tf                     │ terraform │         6         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/main.tf                      │ terraform │         5         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/alb_origin             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/basic                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/lambda_edge            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/multi_origin           │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/s3_oac                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudtrail/tests/basic                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cognito/tests/advanced                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cognito/tests/basic                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/advanced                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/basic                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/spot_instance                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/user_data                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_ebs                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_eip                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic/main.tf         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account/main.tf │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/pattern               │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled/main.tf     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ internet_gateway/tests/basic            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/main.tf                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/basic                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/go                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/python                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/typescript                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ nat_gateway/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ parameter-store/tests/basic             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ route_table/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/main.tf                              │ terraform │         1         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/tests/basic                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ scp/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/main.tf                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/tests/basic              │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ sqs/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/audit-logging/tests/basic         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/basic            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/no-nat           │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/single-nat       │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/main.tf                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/tests/basic                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/main.tf                             │ terraform │         9         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/tests/basic                         │ terraform │         0         │
└─────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


api_gateway/main.tf (terraform)
===============================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



cloudfront/main.tf (terraform)
==============================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



s3/main.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 s3/main.tf:33
   via s3/main.tf:32-34 (versioning_configuration)
    via s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



vpc/main.tf (terraform)
=======================
Tests: 9 (SUCCESSES: 0, FAILURES: 9)
Failures: 9 (MEDIUM: 9, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via internet_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via nat_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via route_table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via security_group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

👤 Pusher: @llama90 | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check

@claude
Fix cognito module to work without AWS credentials
ca4b256 
Remove data source dependencies that require API calls:
- Remove aws_caller_identity and aws_region data sources
- Use provider::aws::region for region references in outputs
- Remove region and account_id outputs

This allows terraform plan to run without actual AWS credentials.
@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2025

🔍 Terraform Check Results

📊 Summary

All checks passed!

Check Status Issues Scope
🖌 Format ✅ success - All modules
🤖 Validate ✅ success - All modules
🔍 TFLint ✅ success 0 issue(s) terraform
🔒 Trivy ✅ success 0 critical, 0 high, 21 medium terraform
🔍 TFLint Details (0 issue(s)) 
Running TFLint on changed modules:
terraform

=== Checking terraform ===
🔒 Trivy Security Details (21 issue(s)) 
Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌─────────────────────────────────────────┬───────────┬───────────────────┐
│                 Target                  │   Type    │ Misconfigurations │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                   │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/host_based                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/https                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/multi_target                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/path_based                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/main.tf                     │ terraform │         6         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/main.tf                      │ terraform │         5         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/alb_origin             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/basic                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/lambda_edge            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/multi_origin           │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/s3_oac                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudtrail/tests/basic                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cognito/tests/advanced                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cognito/tests/basic                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/advanced                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/basic                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/spot_instance                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/user_data                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_ebs                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_eip                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic/main.tf         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account/main.tf │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/pattern               │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled/main.tf     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ internet_gateway/tests/basic            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/main.tf                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/basic                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/go                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/python                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/typescript                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ nat_gateway/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ parameter-store/tests/basic             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ route_table/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/main.tf                              │ terraform │         1         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/tests/basic                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ scp/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/main.tf                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/tests/basic              │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ sqs/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/audit-logging/tests/basic         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/basic            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/no-nat           │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/single-nat       │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/main.tf                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/tests/basic                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/main.tf                             │ terraform │         9         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/tests/basic                         │ terraform │         0         │
└─────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


api_gateway/main.tf (terraform)
===============================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



cloudfront/main.tf (terraform)
==============================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



s3/main.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 s3/main.tf:33
   via s3/main.tf:32-34 (versioning_configuration)
    via s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



vpc/main.tf (terraform)
=======================
Tests: 9 (SUCCESSES: 0, FAILURES: 9)
Failures: 9 (MEDIUM: 9, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via internet_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via nat_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via route_table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via security_group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

👤 Pusher: @llama90 | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check

@claude
Simplify cognito README to follow repository guidelines
36033e8 
- Reduce from 694 lines to ~64 lines (ultra-minimal)
- Remove all verbose use cases and authentication tutorials
- Remove duplicated code examples (OAuth flows, API Gateway integration, etc)
- Simplify Quick Start (minimal client configuration)
- Add terraform-docs section with <details>
- Follow exact structure: Features, Quick Start, Examples, Testing, Docs
- Limit features to 8 items
- Reference tests/ instead of duplicating code

Follows DOCUMENTATION_GUIDELINES.md pattern like ec2 module.
@github-actions
Copy link
Contributor

github-actions bot commented Dec 21, 2025

🔍 Terraform Check Results

📊 Summary

All checks passed!

Check Status Issues Scope
🖌 Format ✅ success - All modules
🤖 Validate ✅ success - All modules
🔍 TFLint ✅ success 0 issue(s) terraform
🔒 Trivy ✅ success 0 critical, 0 high, 21 medium terraform
🔍 TFLint Details (0 issue(s)) 
Running TFLint on changed modules:
terraform

=== Checking terraform ===
🔒 Trivy Security Details (21 issue(s)) 
Running Trivy on changed modules:
terraform

=== Scanning terraform ===

Report Summary

┌─────────────────────────────────────────┬───────────┬───────────────────┐
│                 Target                  │   Type    │ Misconfigurations │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ _template/tests/basic                   │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/host_based                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/https                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/multi_target                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ alb/tests/path_based                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/main.tf                     │ terraform │         6         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ api_gateway/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock/main.tf                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock/tests/advanced                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ bedrock/tests/basic                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/main.tf                      │ terraform │         5         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/alb_origin             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/basic                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/lambda_edge            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/multi_origin           │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudfront/tests/s3_oac                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cloudtrail/tests/basic                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cognito/tests/advanced                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ cognito/tests/basic                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/advanced                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ dynamodb/tests/basic                    │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/spot_instance                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/user_data                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_ebs                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ec2/tests/with_eip                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ ecr/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/main.tf                             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eks/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/basic/main.tf         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/cross_account/main.tf │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/pattern               │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ eventbridge/tests/scheduled/main.tf     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/main.tf             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/cloud-functions/tests/basic         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/main.tf                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ gcp/gcs/tests/basic                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ internet_gateway/tests/basic            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/main.tf                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/basic                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/go                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/python                     │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ lambda/tests/typescript                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ nat_gateway/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ parameter-store/tests/basic             │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ route_table/tests/basic                 │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/main.tf                              │ terraform │         1         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ s3/tests/basic                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ scp/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/main.tf                  │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ security_group/tests/basic              │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ sqs/tests/basic                         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/audit-logging/tests/basic         │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/basic            │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/no-nat           │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ stack/networking/tests/single-nat       │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/main.tf                          │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ subnet/tests/basic                      │ terraform │         0         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/main.tf                             │ terraform │         9         │
├─────────────────────────────────────────┼───────────┼───────────────────┤
│ vpc/tests/basic                         │ terraform │         0         │
└─────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


api_gateway/main.tf (terraform)
===============================
Tests: 6 (SUCCESSES: 0, FAILURES: 6)
Failures: 6 (MEDIUM: 6, HIGH: 0, CRITICAL: 0)

AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:29-57 (module.basic_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:350-381 (module.cached_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:388-457 (module.custom_responses_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:64-104 (module.lambda_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:174-259 (module.secured_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────


AVD-AWS-0001 (MEDIUM): Access logging is not configured.
════════════════════════════════════════
API Gateway stages should have access log settings block configured to track all access to a particular stage. This should be applied to both v1 and v2 gateway stages.


See https://avd.aquasec.com/misconfig/avd-aws-0001
────────────────────────────────────────
 api_gateway/main.tf:315-346
   via api_gateway/tests/basic/main.tf:266-343 (module.validated_api)
────────────────────────────────────────
 315 ┌ resource "aws_api_gateway_stage" "this" {
 316 │   rest_api_id   = aws_api_gateway_rest_api.this.id
 317 │   deployment_id = aws_api_gateway_deployment.this.id
 318 │   stage_name    = var.stage_name
 319 │   description   = var.stage_description
 320 │ 
 321 │   xray_tracing_enabled  = var.xray_tracing_enabled
 322 │   cache_cluster_enabled = var.cache_cluster_enabled
 323 └   cache_cluster_size    = var.cache_cluster_size
 ...   
────────────────────────────────────────



cloudfront/main.tf (terraform)
==============================
Tests: 5 (SUCCESSES: 0, FAILURES: 5)
Failures: 5 (MEDIUM: 5, HIGH: 0, CRITICAL: 0)

AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/alb_origin/main.tf:27-141 (module.test_alb_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/basic/main.tf:26-82 (module.test_basic)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/lambda_edge/main.tf:30-155 (module.test_lambda_edge)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/multi_origin/main.tf:27-215 (module.test_multi_origin)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────


AVD-AWS-0010 (MEDIUM): Distribution does not have logging enabled
════════════════════════════════════════
You should configure CloudFront Access Logging to create log files that contain detailed information about every user request that CloudFront receives


See https://avd.aquasec.com/misconfig/avd-aws-0010
────────────────────────────────────────
 cloudfront/main.tf:56-312
   via cloudfront/tests/s3_oac/main.tf:27-113 (module.test_s3_oac)
────────────────────────────────────────
  56 ┌ resource "aws_cloudfront_distribution" "this" {
  57 │   enabled             = var.enabled
  58 │   is_ipv6_enabled     = var.is_ipv6_enabled
  59 │   comment             = var.distribution_name
  60 │   default_root_object = var.default_root_object
  61 │   price_class         = var.price_class
  62 │   http_version        = var.http_version
  63 │   web_acl_id          = var.web_acl_id
  64 └   retain_on_delete    = var.retain_on_delete
  ..   
────────────────────────────────────────



s3/main.tf (terraform)
======================
Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
────────────────────────────────────────
 s3/main.tf:33
   via s3/main.tf:32-34 (versioning_configuration)
    via s3/main.tf:29-35 (aws_s3_bucket_versioning.this)
     via s3/tests/basic/main.tf:121-132 (module.no_versioning_bucket)
────────────────────────────────────────
  29   resource "aws_s3_bucket_versioning" "this" {
  30     bucket = aws_s3_bucket.this.id
  31   
  32     versioning_configuration {
  33 [     status = var.versioning_enabled ? "Enabled" : "Suspended"
  34     }
  35   }
────────────────────────────────────────



vpc/main.tf (terraform)
=======================
Tests: 9 (SUCCESSES: 0, FAILURES: 9)
Failures: 9 (MEDIUM: 9, HIGH: 0, CRITICAL: 0)

AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/basic/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/no-nat/main.tf:23-37 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via stack/networking/main.tf:47-59 (module.vpc)
    via stack/networking/tests/single-nat/main.tf:23-34 (module.networking)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via vpc/tests/basic/main.tf:23-36 (module.test_vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via internet_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via nat_gateway/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via route_table/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via security_group/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────


AVD-AWS-0178 (MEDIUM): VPC does not have VPC Flow Logs enabled.
════════════════════════════════════════
VPC Flow Logs provide visibility into network traffic that traverses the VPC and can be used to detect anomalous traffic or insight during security workflows.


See https://avd.aquasec.com/misconfig/aws-autoscaling-enable-at-rest-encryption
────────────────────────────────────────
 vpc/main.tf:12-26
   via subnet/tests/basic/main.tf:23-28 (module.vpc)
────────────────────────────────────────
  12 ┌ resource "aws_vpc" "this" {
  13 │   cidr_block                           = var.cidr_block
  14 │   enable_dns_support                   = var.enable_dns_support
  15 │   enable_dns_hostnames                 = var.enable_dns_hostnames
  16 │   assign_generated_ipv6_cidr_block     = var.enable_ipv6
  17 │   instance_tenancy                     = var.instance_tenancy
  18 │   enable_network_address_usage_metrics = var.enable_network_address_usage_metrics
  19 │ 
  20 └   tags = merge(
  ..   
────────────────────────────────────────

👤 Pusher: @llama90 | 🔄 Action: pull_request | ⚙️ Workflow: Terraform Check

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@llama90 @claude