Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

testing replication #7045

Closed
wants to merge 1 commit into from
Closed

testing replication #7045

wants to merge 1 commit into from

Conversation

Khatraf
Copy link
Contributor

@Khatraf Khatraf commented May 17, 2024

A reference to the issue / Description of it

{Please write here}

How does this PR fix the problem?

{Please write here}

How has this been tested?

Please describe the tests that you ran and provide instructions to reproduce.

{Please write here}

Deployment Plan / Instructions

Will this deployment impact the platform and / or services on it?

{Please write here}

Checklist (check x in [ ] of list items)

  • I have performed a self-review of my own code
  • All checks have passed
  • I have made corresponding changes to the documentation
  • Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

{Please write here}

@Khatraf Khatraf requested a review from a team as a code owner May 17, 2024 15:25
@github-actions github-actions bot added the core label May 17, 2024
@Khatraf Khatraf added DRAFT and removed core labels May 17, 2024
@Khatraf Khatraf marked this pull request as draft May 17, 2024 15:26
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/core-logging

Running Trivy in terraform/environments/core-logging
2024-05-17T15:27:32Z INFO Need to update DB
2024-05-17T15:27:32Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-17T15:27:34Z INFO Vulnerability scanning is enabled
2024-05-17T15:27:34Z INFO Misconfiguration scanning is enabled
2024-05-17T15:27:34Z INFO Need to update the built-in policies
2024-05-17T15:27:34Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-17T15:27:34Z INFO Secret scanning is enabled
2024-05-17T15:27:34Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-17T15:27:34Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-17T15:27:37Z INFO Number of language-specific files num=1
2024-05-17T15:27:37Z INFO [gomod] Detecting vulnerabilities...
2024-05-17T15:27:37Z INFO Detected config files num=8

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf (terraform)

Tests: 20 (SUCCESSES: 18, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam.tf (terraform)

Tests: 12 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 12)
Failures: 0 (HIGH: 0, CRITICAL: 0)

sqs.tf (terraform)

Tests: 4 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/core-logging

*****************************

Running Checkov in terraform/environments/core-logging
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-17 15:27:40,620 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7:None (for external modules, the --download-external-modules flag is required)
2024-05-17 15:27:40,620 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2024-05-17 15:27:40,912 [MainThread  ] [WARNI]  Module /Users/khatra.farah/moj-repo/modernisation-platform-terraform-s3-bucket:latest failed to load via <class 'checkov.terraform.module_loading.loaders.local_path_loader.LocalPathLoader'>
2024-05-17 15:27:40,912 [MainThread  ] [WARNI]  Unable to load module - source: /Users/khatra.farah/moj-repo/modernisation-platform-terraform-s3-bucket, version: latest, error: /Users/khatra.farah/moj-repo/modernisation-platform-terraform-s3-bucket
terraform scan results:

Passed checks: 304, Failed checks: 2, Skipped checks: 55

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket-cloudtrail
	File: /s3_logging.tf:175-223
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		175 | module "s3-bucket-cloudtrail" {
		176 |   source = "/Users/khatra.farah/moj-repo/modernisation-platform-terraform-s3-bucket" # v7.0.0
		177 |   providers = {
		178 |     aws.bucket-replication = aws.modernisation-platform-eu-west-1
		179 |   }
		180 |   bucket_policy              = [data.aws_iam_policy_document.cloudtrail_bucket_policy.json]
		181 |   bucket_name                = "modernisation-platform-logs-cloudtrail"
		182 |   custom_kms_key             = aws_kms_key.s3_logging_cloudtrail.arn
		183 |   custom_replication_kms_key = aws_kms_key.s3_logging_cloudtrail_eu-west-1_replication.arn
		184 | 
		185 |   replication_enabled = true
		186 |   replication_region  = "eu-west-1"
		187 |   versioning_enabled  = true
		188 | 
		189 |   lifecycle_rule = [
		190 |     {
		191 |       id      = "main"
		192 |       enabled = "Enabled"
		193 |       tags    = {}
		194 |       transition = [
		195 |         {
		196 |           days          = 90
		197 |           storage_class = "STANDARD_IA"
		198 |           }, {
		199 |           days          = 365
		200 |           storage_class = "GLACIER"
		201 |         }
		202 |       ]
		203 |       expiration = {
		204 |         days = 730
		205 |       }
		206 |       noncurrent_version_transition = [
		207 |         {
		208 |           days          = 90
		209 |           storage_class = "STANDARD_IA"
		210 |           }, {
		211 |           days          = 365
		212 |           storage_class = "GLACIER"
		213 |         }
		214 |       ]
		215 |       noncurrent_version_expiration = {
		216 |         days = 730
		217 |       }
		218 |     }
		219 |   ]
		220 |   log_bucket           = module.s3-bucket-cloudtrail-logging.bucket.id
		221 |   # replication_role_arn = module.cloudtrail-s3-replication-role.role.arn
		222 |   tags                 = local.tags
		223 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: s3-bucket-cloudtrail
	File: /s3_logging.tf:175-223

		175 | module "s3-bucket-cloudtrail" {
		176 |   source = "/Users/khatra.farah/moj-repo/modernisation-platform-terraform-s3-bucket" # v7.0.0
		177 |   providers = {
		178 |     aws.bucket-replication = aws.modernisation-platform-eu-west-1
		179 |   }
		180 |   bucket_policy              = [data.aws_iam_policy_document.cloudtrail_bucket_policy.json]
		181 |   bucket_name                = "modernisation-platform-logs-cloudtrail"
		182 |   custom_kms_key             = aws_kms_key.s3_logging_cloudtrail.arn
		183 |   custom_replication_kms_key = aws_kms_key.s3_logging_cloudtrail_eu-west-1_replication.arn
		184 | 
		185 |   replication_enabled = true
		186 |   replication_region  = "eu-west-1"
		187 |   versioning_enabled  = true
		188 | 
		189 |   lifecycle_rule = [
		190 |     {
		191 |       id      = "main"
		192 |       enabled = "Enabled"
		193 |       tags    = {}
		194 |       transition = [
		195 |         {
		196 |           days          = 90
		197 |           storage_class = "STANDARD_IA"
		198 |           }, {
		199 |           days          = 365
		200 |           storage_class = "GLACIER"
		201 |         }
		202 |       ]
		203 |       expiration = {
		204 |         days = 730
		205 |       }
		206 |       noncurrent_version_transition = [
		207 |         {
		208 |           days          = 90
		209 |           storage_class = "STANDARD_IA"
		210 |           }, {
		211 |           days          = 365
		212 |           storage_class = "GLACIER"
		213 |         }
		214 |       ]
		215 |       noncurrent_version_expiration = {
		216 |         days = 730
		217 |       }
		218 |     }
		219 |   ]
		220 |   log_bucket           = module.s3-bucket-cloudtrail-logging.bucket.id
		221 |   # replication_role_arn = module.cloudtrail-s3-replication-role.role.arn
		222 |   tags                 = local.tags
		223 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/core-logging

*****************************

Running tflint in terraform/environments/core-logging
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/core-logging

*****************************

Running Trivy in terraform/environments/core-logging
2024-05-17T15:27:32Z	INFO	Need to update DB
2024-05-17T15:27:32Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-17T15:27:34Z	INFO	Vulnerability scanning is enabled
2024-05-17T15:27:34Z	INFO	Misconfiguration scanning is enabled
2024-05-17T15:27:34Z	INFO	Need to update the built-in policies
2024-05-17T15:27:34Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-17T15:27:34Z	INFO	Secret scanning is enabled
2024-05-17T15:27:34Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-17T15:27:34Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-17T15:27:37Z	INFO	Number of language-specific files	num=1
2024-05-17T15:27:37Z	INFO	[gomod] Detecting vulnerabilities...
2024-05-17T15:27:37Z	INFO	Detected config files	num=8

github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket-replication-role?ref=3b8a2945c1d266cc0ec2b21edb7f186b6574bda7/main.tf (terraform)
=========================================================================================================================================================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)


github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf (terraform)
========================================================================================================================================
Tests: 20 (SUCCESSES: 18, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam.tf (terraform)
==================
Tests: 12 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 12)
Failures: 0 (HIGH: 0, CRITICAL: 0)


sqs.tf (terraform)
==================
Tests: 4 (SUCCESSES: 3, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

@Khatraf Khatraf closed this May 20, 2024
@Khatraf Khatraf deleted the test/s3-replication branch June 25, 2024 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Khatraf