Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🔧 Add QuickSight Configuration #6108

Merged
merged 2 commits into from
May 16, 2024
Merged

🔧 Add QuickSight Configuration #6108

merged 2 commits into from
May 16, 2024

Conversation

Gary-H9
Copy link
Contributor

@Gary-H9 Gary-H9 commented May 15, 2024
edited

Installation of QuickSight as per this issue.

@Gary-H9 Gary-H9 requested review from a team as code owners May 15, 2024 16:22
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label May 15, 2024
@Gary-H9 Gary-H9 requested a deployment to analytical-platform-compute-development May 15, 2024 16:24 — with GitHub Actions Waiting
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2024-05-15T16:24:55Z INFO Need to update DB
2024-05-15T16:24:55Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T16:24:57Z INFO Vulnerability scanning is enabled
2024-05-15T16:24:57Z INFO Misconfiguration scanning is enabled
2024-05-15T16:24:57Z INFO Need to update the built-in policies
2024-05-15T16:24:57Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T16:24:57Z INFO Secret scanning is enabled
2024-05-15T16:24:57Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T16:24:57Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T16:25:03Z INFO Number of language-specific files num=0
2024-05-15T16:25:03Z INFO Detected config files num=11

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=92fca6fcf94777c55eeccb398fa546a43b958475/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=25322b6b6be69db6cca7f167d7b0e5327156a595/vpc-flow-logs.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-15 16:25:05,666 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.1.2 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:25:05,666 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:25:05,666 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.39.0 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:25:05,666 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:25:05,666 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:25:05,666 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:25:05,666 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.10.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 7, Failed checks: 8, Skipped checks: 8

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: eks
	File: /eks-cluster.tf:4-108

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_cni_iam_role
	File: /iam-roles.tf:1-19

		1  | module "vpc_cni_iam_role" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		5  |   version = "5.39.0"
		6  | 
		7  |   role_name_prefix      = "vpc-cni"
		8  |   attach_vpc_cni_policy = true
		9  |   vpc_cni_enable_ipv4   = true
		10 | 
		11 |   oidc_providers = {
		12 |     main = {
		13 |       provider_arn               = module.eks.oidc_provider_arn
		14 |       namespace_service_accounts = ["kube-system:aws-node"]
		15 |     }
		16 |   }
		17 | 
		18 |   tags = local.tags
		19 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_flow_logs_kms
	File: /kms-keys.tf:1-40

		1  | module "vpc_flow_logs_kms" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/kms/aws"
		5  |   version = "3.0.0"
		6  | 
		7  |   aliases                 = ["vpc-flow-logs"]
		8  |   description             = "VPC flow logs KMS key"
		9  |   enable_default_policy   = true
		10 |   deletion_window_in_days = 7
		11 |   key_statements = [
		12 |     {
		13 |       sid = "AllowCloudWatchLogs"
		14 |       actions = [
		15 |         "kms:Encrypt*",
		16 |         "kms:Decrypt*",
		17 |         "kms:ReEncrypt*",
		18 |         "kms:GenerateDataKey*",
		19 |         "kms:Describe*"
		20 |       ]
		21 |       resources = ["*"]
		22 |       effect    = "Allow"
		23 |       principals = [
		24 |         {
		25 |           type        = "Service"
		26 |           identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		27 |         }
		28 |       ]
		29 |       conditions = [
		30 |         {
		31 |           test     = "ArnEquals"
		32 |           variable = "kms:EncryptionContext:aws:logs:arn"
		33 |           values   = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.vpc_flow_log_cloudwatch_log_group_name_prefix}*"]
		34 |         }
		35 |       ]
		36 |     }
		37 |   ]
		38 | 
		39 |   tags = local.tags
		40 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: eks_cluster_logs_kms
	File: /kms-keys.tf:42-81

		42 | module "eks_cluster_logs_kms" {
		43 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		44 | 
		45 |   source  = "terraform-aws-modules/kms/aws"
		46 |   version = "3.0.0"
		47 | 
		48 |   aliases                 = ["eks-cluster-logs"]
		49 |   description             = "EKS cluster logs KMS key"
		50 |   enable_default_policy   = true
		51 |   deletion_window_in_days = 7
		52 |   key_statements = [
		53 |     {
		54 |       sid = "AllowCloudWatchLogs"
		55 |       actions = [
		56 |         "kms:Encrypt*",
		57 |         "kms:Decrypt*",
		58 |         "kms:ReEncrypt*",
		59 |         "kms:GenerateDataKey*",
		60 |         "kms:Describe*"
		61 |       ]
		62 |       resources = ["*"]
		63 |       effect    = "Allow"
		64 |       principals = [
		65 |         {
		66 |           type        = "Service"
		67 |           identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		68 |         }
		69 |       ]
		70 |       conditions = [
		71 |         {
		72 |           test     = "ArnEquals"
		73 |           variable = "kms:EncryptionContext:aws:logs:arn"
		74 |           values   = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/eks/*"]
		75 |         }
		76 |       ]
		77 |     }
		78 |   ]
		79 | 
		80 |   tags = local.tags
		81 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: observability_platform_tenant
	File: /observability-platform.tf:1-11

		1  | module "observability_platform_tenant" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "ministryofjustice/observability-platform-tenant/aws"
		5  |   version = "1.0.1"
		6  | 
		7  |   observability_platform_account_id = local.environment_management.account_ids["observability-platform-${local.environment_configuration.observability_platform}"]
		8  |   enable_xray                       = true
		9  | 
		10 |   tags = local.tags
		11 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_endpoints_security_group
	File: /security-groups.tf:1-16

		1  | module "vpc_endpoints_security_group" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/security-group/aws"
		5  |   version = "5.1.2"
		6  | 
		7  |   name        = "${module.vpc.name}-vpc-endpoints"
		8  |   description = "VPC endpoints security group"
		9  | 
		10 |   vpc_id = module.vpc.vpc_id
		11 | 
		12 |   ingress_cidr_blocks = [module.vpc.vpc_cidr_block]
		13 |   ingress_rules       = ["https-443-tcp"]
		14 | 
		15 |   tags = local.tags
		16 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_endpoints
	File: /vpc-endpoints.tf:1-120

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc
	File: /vpc.tf:4-42

		4  | module "vpc" {
		5  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		6  | 
		7  |   source  = "terraform-aws-modules/vpc/aws"
		8  |   version = "5.8.1"
		9  | 
		10 |   name                = local.our_vpc_name
		11 |   azs                 = slice(data.aws_availability_zones.available.names, 0, 3)
		12 |   cidr                = local.environment_configuration.vpc_cidr
		13 |   public_subnets      = local.environment_configuration.vpc_public_subnets
		14 |   database_subnets    = local.environment_configuration.vpc_database_subnets
		15 |   elasticache_subnets = local.environment_configuration.vpc_elasticache_subnets
		16 |   intra_subnets       = local.environment_configuration.vpc_intra_subnets
		17 |   private_subnets     = local.environment_configuration.vpc_private_subnets
		18 | 
		19 |   enable_nat_gateway     = local.environment_configuration.vpc_enable_nat_gateway
		20 |   one_nat_gateway_per_az = local.environment_configuration.vpc_one_nat_gateway_per_az
		21 |   single_nat_gateway     = local.environment_configuration.vpc_single_nat_gateway
		22 | 
		23 |   enable_flow_log                                 = true
		24 |   create_flow_log_cloudwatch_log_group            = true
		25 |   create_flow_log_cloudwatch_iam_role             = true
		26 |   flow_log_cloudwatch_log_group_name_prefix       = local.vpc_flow_log_cloudwatch_log_group_name_prefix
		27 |   flow_log_cloudwatch_log_group_name_suffix       = local.vpc_flow_log_cloudwatch_log_group_name_suffix
		28 |   flow_log_cloudwatch_log_group_kms_key_id        = module.vpc_flow_logs_kms.key_arn
		29 |   flow_log_cloudwatch_log_group_retention_in_days = local.vpc_flow_log_cloudwatch_log_group_retention_in_days
		30 |   flow_log_max_aggregation_interval               = local.vpc_flow_log_max_aggregation_interval
		31 |   vpc_flow_log_tags                               = { Name = local.our_vpc_name }
		32 | 
		33 |   public_subnet_tags = {
		34 |     "kubernetes.io/role/elb" = 1
		35 |   }
		36 | 
		37 |   private_subnet_tags = {
		38 |     "kubernetes.io/role/internal-elb" = 1
		39 |   }
		40 | 
		41 |   tags = local.tags
		42 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2024-05-15T16:24:55Z	INFO	Need to update DB
2024-05-15T16:24:55Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T16:24:57Z	INFO	Vulnerability scanning is enabled
2024-05-15T16:24:57Z	INFO	Misconfiguration scanning is enabled
2024-05-15T16:24:57Z	INFO	Need to update the built-in policies
2024-05-15T16:24:57Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T16:24:57Z	INFO	Secret scanning is enabled
2024-05-15T16:24:57Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T16:24:57Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T16:25:03Z	INFO	Number of language-specific files	num=0
2024-05-15T16:25:03Z	INFO	Detected config files	num=11

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=92fca6fcf94777c55eeccb398fa546a43b958475/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)
=============================================================================================================================================================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=25322b6b6be69db6cca7f167d7b0e5327156a595/vpc-flow-logs.tf (terraform)
========================================================================================================================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

@Gary-H9 Gary-H9 requested a deployment to analytical-platform-compute-development May 15, 2024 16:25 — with GitHub Actions Waiting
@Gary-H9 Gary-H9 had a problem deploying to analytical-platform-compute-test May 15, 2024 16:28 — with GitHub Actions Error
@Gary-H9 Gary-H9 had a problem deploying to analytical-platform-compute-development May 15, 2024 16:28 — with GitHub Actions Error
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

Running Trivy in terraform/environments/analytical-platform-compute
2024-05-15T16:29:32Z INFO Need to update DB
2024-05-15T16:29:32Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T16:29:34Z INFO Vulnerability scanning is enabled
2024-05-15T16:29:34Z INFO Misconfiguration scanning is enabled
2024-05-15T16:29:34Z INFO Need to update the built-in policies
2024-05-15T16:29:34Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T16:29:34Z INFO Secret scanning is enabled
2024-05-15T16:29:34Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T16:29:34Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T16:29:41Z INFO Number of language-specific files num=0
2024-05-15T16:29:41Z INFO Detected config files num=11

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=92fca6fcf94777c55eeccb398fa546a43b958475/main.tf (terraform)

Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=25322b6b6be69db6cca7f167d7b0e5327156a595/vpc-flow-logs.tf (terraform)

Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Checkov in terraform/environments/analytical-platform-compute
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-15 16:29:43,677 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/security-group/aws:5.1.2 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:29:43,677 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws//modules/vpc-endpoints:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:29:43,677 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks:5.39.0 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:29:43,677 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/vpc/aws:5.8.1 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:29:43,677 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:29:43,677 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/kms/aws:3.0.0 (for external modules, the --download-external-modules flag is required)
2024-05-15 16:29:43,677 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/eks/aws:20.10.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 7, Failed checks: 8, Skipped checks: 8

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: eks
	File: /eks-cluster.tf:4-108

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_cni_iam_role
	File: /iam-roles.tf:1-19

		1  | module "vpc_cni_iam_role" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
		5  |   version = "5.39.0"
		6  | 
		7  |   role_name_prefix      = "vpc-cni"
		8  |   attach_vpc_cni_policy = true
		9  |   vpc_cni_enable_ipv4   = true
		10 | 
		11 |   oidc_providers = {
		12 |     main = {
		13 |       provider_arn               = module.eks.oidc_provider_arn
		14 |       namespace_service_accounts = ["kube-system:aws-node"]
		15 |     }
		16 |   }
		17 | 
		18 |   tags = local.tags
		19 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_flow_logs_kms
	File: /kms-keys.tf:1-40

		1  | module "vpc_flow_logs_kms" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/kms/aws"
		5  |   version = "3.0.0"
		6  | 
		7  |   aliases                 = ["vpc-flow-logs"]
		8  |   description             = "VPC flow logs KMS key"
		9  |   enable_default_policy   = true
		10 |   deletion_window_in_days = 7
		11 |   key_statements = [
		12 |     {
		13 |       sid = "AllowCloudWatchLogs"
		14 |       actions = [
		15 |         "kms:Encrypt*",
		16 |         "kms:Decrypt*",
		17 |         "kms:ReEncrypt*",
		18 |         "kms:GenerateDataKey*",
		19 |         "kms:Describe*"
		20 |       ]
		21 |       resources = ["*"]
		22 |       effect    = "Allow"
		23 |       principals = [
		24 |         {
		25 |           type        = "Service"
		26 |           identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		27 |         }
		28 |       ]
		29 |       conditions = [
		30 |         {
		31 |           test     = "ArnEquals"
		32 |           variable = "kms:EncryptionContext:aws:logs:arn"
		33 |           values   = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:${local.vpc_flow_log_cloudwatch_log_group_name_prefix}*"]
		34 |         }
		35 |       ]
		36 |     }
		37 |   ]
		38 | 
		39 |   tags = local.tags
		40 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: eks_cluster_logs_kms
	File: /kms-keys.tf:42-81

		42 | module "eks_cluster_logs_kms" {
		43 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		44 | 
		45 |   source  = "terraform-aws-modules/kms/aws"
		46 |   version = "3.0.0"
		47 | 
		48 |   aliases                 = ["eks-cluster-logs"]
		49 |   description             = "EKS cluster logs KMS key"
		50 |   enable_default_policy   = true
		51 |   deletion_window_in_days = 7
		52 |   key_statements = [
		53 |     {
		54 |       sid = "AllowCloudWatchLogs"
		55 |       actions = [
		56 |         "kms:Encrypt*",
		57 |         "kms:Decrypt*",
		58 |         "kms:ReEncrypt*",
		59 |         "kms:GenerateDataKey*",
		60 |         "kms:Describe*"
		61 |       ]
		62 |       resources = ["*"]
		63 |       effect    = "Allow"
		64 |       principals = [
		65 |         {
		66 |           type        = "Service"
		67 |           identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
		68 |         }
		69 |       ]
		70 |       conditions = [
		71 |         {
		72 |           test     = "ArnEquals"
		73 |           variable = "kms:EncryptionContext:aws:logs:arn"
		74 |           values   = ["arn:aws:logs:${data.aws_region.current.name}:${data.aws_caller_identity.current.account_id}:log-group:/aws/eks/*"]
		75 |         }
		76 |       ]
		77 |     }
		78 |   ]
		79 | 
		80 |   tags = local.tags
		81 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: observability_platform_tenant
	File: /observability-platform.tf:1-11

		1  | module "observability_platform_tenant" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "ministryofjustice/observability-platform-tenant/aws"
		5  |   version = "1.0.1"
		6  | 
		7  |   observability_platform_account_id = local.environment_management.account_ids["observability-platform-${local.environment_configuration.observability_platform}"]
		8  |   enable_xray                       = true
		9  | 
		10 |   tags = local.tags
		11 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_endpoints_security_group
	File: /security-groups.tf:1-16

		1  | module "vpc_endpoints_security_group" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/security-group/aws"
		5  |   version = "5.1.2"
		6  | 
		7  |   name        = "${module.vpc.name}-vpc-endpoints"
		8  |   description = "VPC endpoints security group"
		9  | 
		10 |   vpc_id = module.vpc.vpc_id
		11 | 
		12 |   ingress_cidr_blocks = [module.vpc.vpc_cidr_block]
		13 |   ingress_rules       = ["https-443-tcp"]
		14 | 
		15 |   tags = local.tags
		16 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc_endpoints
	File: /vpc-endpoints.tf:1-120

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: vpc
	File: /vpc.tf:4-42

		4  | module "vpc" {
		5  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		6  | 
		7  |   source  = "terraform-aws-modules/vpc/aws"
		8  |   version = "5.8.1"
		9  | 
		10 |   name                = local.our_vpc_name
		11 |   azs                 = slice(data.aws_availability_zones.available.names, 0, 3)
		12 |   cidr                = local.environment_configuration.vpc_cidr
		13 |   public_subnets      = local.environment_configuration.vpc_public_subnets
		14 |   database_subnets    = local.environment_configuration.vpc_database_subnets
		15 |   elasticache_subnets = local.environment_configuration.vpc_elasticache_subnets
		16 |   intra_subnets       = local.environment_configuration.vpc_intra_subnets
		17 |   private_subnets     = local.environment_configuration.vpc_private_subnets
		18 | 
		19 |   enable_nat_gateway     = local.environment_configuration.vpc_enable_nat_gateway
		20 |   one_nat_gateway_per_az = local.environment_configuration.vpc_one_nat_gateway_per_az
		21 |   single_nat_gateway     = local.environment_configuration.vpc_single_nat_gateway
		22 | 
		23 |   enable_flow_log                                 = true
		24 |   create_flow_log_cloudwatch_log_group            = true
		25 |   create_flow_log_cloudwatch_iam_role             = true
		26 |   flow_log_cloudwatch_log_group_name_prefix       = local.vpc_flow_log_cloudwatch_log_group_name_prefix
		27 |   flow_log_cloudwatch_log_group_name_suffix       = local.vpc_flow_log_cloudwatch_log_group_name_suffix
		28 |   flow_log_cloudwatch_log_group_kms_key_id        = module.vpc_flow_logs_kms.key_arn
		29 |   flow_log_cloudwatch_log_group_retention_in_days = local.vpc_flow_log_cloudwatch_log_group_retention_in_days
		30 |   flow_log_max_aggregation_interval               = local.vpc_flow_log_max_aggregation_interval
		31 |   vpc_flow_log_tags                               = { Name = local.our_vpc_name }
		32 | 
		33 |   public_subnet_tags = {
		34 |     "kubernetes.io/role/elb" = 1
		35 |   }
		36 | 
		37 |   private_subnet_tags = {
		38 |     "kubernetes.io/role/internal-elb" = 1
		39 |   }
		40 | 
		41 |   tags = local.tags
		42 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running tflint in terraform/environments/analytical-platform-compute
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/analytical-platform-compute

*****************************

Running Trivy in terraform/environments/analytical-platform-compute
2024-05-15T16:29:32Z	INFO	Need to update DB
2024-05-15T16:29:32Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-15T16:29:34Z	INFO	Vulnerability scanning is enabled
2024-05-15T16:29:34Z	INFO	Misconfiguration scanning is enabled
2024-05-15T16:29:34Z	INFO	Need to update the built-in policies
2024-05-15T16:29:34Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-15T16:29:34Z	INFO	Secret scanning is enabled
2024-05-15T16:29:34Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-15T16:29:34Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-15T16:29:41Z	INFO	Number of language-specific files	num=0
2024-05-15T16:29:41Z	INFO	Detected config files	num=11

git::https:/github.com/terraform-aws-modules/terraform-aws-eks?ref=92fca6fcf94777c55eeccb398fa546a43b958475/main.tf (terraform)
===============================================================================================================================
Tests: 5 (SUCCESSES: 1, FAILURES: 0, EXCEPTIONS: 4)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=39e42e1f847afe5fd1c1c98c64871817e37e33ca/modules/iam-role-for-service-accounts-eks/policies.tf (terraform)
=============================================================================================================================================================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-vpc?ref=25322b6b6be69db6cca7f167d7b0e5327156a595/vpc-flow-logs.tf (terraform)
========================================================================================================================================
Tests: 2 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 2)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

julialawrence
julialawrence approved these changes May 16, 2024
View reviewed changes
Copy link
Contributor

@julialawrence julialawrence left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It lives!

@Gary-H9 Gary-H9 had a problem deploying to analytical-platform-compute-test May 16, 2024 09:50 — with GitHub Actions Error
@Gary-H9 Gary-H9 had a problem deploying to analytical-platform-compute-development May 16, 2024 09:50 — with GitHub Actions Failure
@Gary-H9 Gary-H9 had a problem deploying to analytical-platform-compute-development May 16, 2024 10:22 — with GitHub Actions Failure
@Gary-H9 Gary-H9 had a problem deploying to analytical-platform-compute-development May 16, 2024 11:21 — with GitHub Actions Failure
@Gary-H9 Gary-H9 had a problem deploying to analytical-platform-compute-development May 16, 2024 11:33 — with GitHub Actions Failure
@Gary-H9 Gary-H9 had a problem deploying to analytical-platform-compute-development May 16, 2024 11:40 — with GitHub Actions Failure
@Gary-H9 Gary-H9 temporarily deployed to analytical-platform-compute-development May 16, 2024 11:49 — with GitHub Actions Inactive
@Gary-H9 Gary-H9 temporarily deployed to analytical-platform-compute-development May 16, 2024 15:05 — with GitHub Actions Inactive
@Gary-H9 Gary-H9 temporarily deployed to analytical-platform-compute-test May 16, 2024 15:06 — with GitHub Actions Inactive
jacobwoffenden
jacobwoffenden approved these changes May 16, 2024
View reviewed changes
Copy link
Member

@jacobwoffenden jacobwoffenden left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jacobwoffenden jacobwoffenden merged commit ed9de39 into main May 16, 2024
13 of 14 checks passed
@jacobwoffenden jacobwoffenden deleted the ap-quicksight branch May 16, 2024 15:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jacobwoffenden jacobwoffenden jacobwoffenden approved these changes

@julialawrence julialawrence julialawrence approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Gary-H9 @jacobwoffenden @julialawrence