Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump terraform-aws-modules/iam/aws from 5.39.0 to 5.39.1 in /terraform/environments/observability-platform #6113

Merged
merged 1 commit into from
May 17, 2024
Merged

Bump terraform-aws-modules/iam/aws from 5.39.0 to 5.39.1 in /terraform/environments/observability-platform #6113

merged 1 commit into from
May 17, 2024

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github May 16, 2024

Bumps terraform-aws-modules/iam/aws from 5.39.0 to 5.39.1.

Release notes

Sourced from terraform-aws-modules/iam/aws's releases.

v5.39.1

5.39.1 (2024-05-15)

Bug Fixes

  • Fixed trust condition in modules/iam-github-oidc-role to be https (#490) (ecaed18)
Changelog

Sourced from terraform-aws-modules/iam/aws's changelog.

5.39.1 (2024-05-15)

Bug Fixes

  • Fixed trust condition in modules/iam-github-oidc-role to be https (#490) (ecaed18)
Commits
  • de95e21 chore(release): version 5.39.1 [skip ci]
  • ecaed18 fix: Fixed trust condition in modules/iam-github-oidc-role to be https (#490)
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump terraform-aws-modules/iam/aws
5a27a30 
Bumps [terraform-aws-modules/iam/aws](https://github.com/terraform-aws-modules/terraform-aws-iam) from 5.39.0 to 5.39.1.
- [Release notes](https://github.com/terraform-aws-modules/terraform-aws-iam/releases)
- [Changelog](https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/CHANGELOG.md)
- [Commits](terraform-aws-modules/terraform-aws-iam@v5.39.0...v5.39.1)

---
updated-dependencies:
- dependency-name: terraform-aws-modules/iam/aws
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested review from a team as code owners May 16, 2024 01:02
@dependabot dependabot bot added dependencies Pull requests that update a dependency file terraform Pull requests that update Terraform code labels May 16, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label May 16, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/observability-platform terraform/environments/observability-platform/modules/prometheus/iam-role

Running Trivy in terraform/environments/observability-platform
2024-05-16T01:04:57Z INFO Need to update DB
2024-05-16T01:04:57Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-16T01:04:59Z INFO Vulnerability scanning is enabled
2024-05-16T01:04:59Z INFO Misconfiguration scanning is enabled
2024-05-16T01:04:59Z INFO Need to update the built-in policies
2024-05-16T01:04:59Z INFO Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-16T01:05:00Z INFO Secret scanning is enabled
2024-05-16T01:05:00Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-16T01:05:00Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-16T01:05:02Z INFO Number of language-specific files num=0
2024-05-16T01:05:02Z INFO Detected config files num=6

git::https:/github.com/terraform-aws-modules/terraform-aws-lambda?ref=8a370bab3e5eb6425ee6b8fbb8fbde00ab300f7a/iam.tf (terraform)

Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)

git::https:/github.com/terraform-aws-modules/terraform-aws-managed-service-grafana?ref=14dc9a17539887d8c92456b6d4464f379d8c7bd1/main.tf (terraform)

Tests: 29 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 29)
Failures: 0 (HIGH: 0, CRITICAL: 0)

iam-policies.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

Running Trivy in terraform/environments/observability-platform/modules/prometheus/iam-role
2024-05-16T01:05:02Z INFO Vulnerability scanning is enabled
2024-05-16T01:05:02Z INFO Misconfiguration scanning is enabled
2024-05-16T01:05:02Z INFO Secret scanning is enabled
2024-05-16T01:05:02Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-16T01:05:02Z INFO Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-16T01:05:03Z INFO Number of language-specific files num=0
2024-05-16T01:05:03Z INFO Detected config files num=2

main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/observability-platform terraform/environments/observability-platform/modules/prometheus/iam-role

*****************************

Running Checkov in terraform/environments/observability-platform
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-16 01:05:06,373 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.0.1 (for external modules, the --download-external-modules flag is required)
2024-05-16 01:05:06,373 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-05-16 01:05:06,373 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-grafana/aws:2.1.1 (for external modules, the --download-external-modules flag is required)
2024-05-16 01:05:06,373 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:2.2.3 (for external modules, the --download-external-modules flag is required)
2024-05-16 01:05:06,373 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.4.0 (for external modules, the --download-external-modules flag is required)
2024-05-16 01:05:06,373 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.39.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 30, Failed checks: 7, Skipped checks: 15

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: amazon_managed_grafana_remote_cloudwatch_iam_policy
	File: /iam-policies.tf:12-21

		12 | module "amazon_managed_grafana_remote_cloudwatch_iam_policy" {
		13 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		14 | 
		15 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		16 |   version = "5.39.1"
		17 | 
		18 |   name_prefix = "amazon-managed-grafana-remote-cloudwatch"
		19 | 
		20 |   policy = data.aws_iam_policy_document.amazon_managed_grafana_remote_cloudwatch.json
		21 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: grafana_api_key_rotator
	File: /lambda-functions.tf:3-51

		3  | module "grafana_api_key_rotator" {
		4  |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		5  |   #checkov:skip=CKV_AWS_258:Function is not invoked by URL
		6  | 
		7  |   source  = "terraform-aws-modules/lambda/aws"
		8  |   version = "7.4.0"
		9  | 
		10 |   publish        = true
		11 |   create_package = false
		12 | 
		13 |   function_name = "grafana-api-key-rotator"
		14 |   description   = "Rotates the Grafana API key used by Terraform"
		15 |   package_type  = "Image"
		16 |   memory_size   = 2048
		17 |   timeout       = 120
		18 |   image_uri     = "374269020027.dkr.ecr.eu-west-2.amazonaws.com/observability-platform-grafana-api-key-rotator:${local.environment_configuration.grafana_api_key_rotator_version}"
		19 | 
		20 |   environment_variables = {
		21 |     WORKSPACE_API_KEY_NAME = "observability-platform-automation" #checkov:skip=CKV_SECRET_6:This a reference to a secret, not a secret itself
		22 |     WORKSPACE_ID           = module.managed_grafana.workspace_id
		23 |     SECRET_ID              = aws_secretsmanager_secret.grafana_api_key.id
		24 |   }
		25 | 
		26 |   attach_policy_statements = true
		27 |   policy_statements = {
		28 |     "grafana" = {
		29 |       sid    = "Grafana"
		30 |       effect = "Allow"
		31 |       actions = [
		32 |         "grafana:CreateWorkspaceApiKey",
		33 |         "grafana:DeleteWorkspaceApiKey"
		34 |       ]
		35 |       resources = [module.managed_grafana.workspace_arn]
		36 |     }
		37 |     "secretsmanager" = {
		38 |       sid       = "SecretsManager"
		39 |       effect    = "Allow"
		40 |       actions   = ["secretsmanager:UpdateSecret"]
		41 |       resources = [aws_secretsmanager_secret.grafana_api_key.arn]
		42 |     }
		43 |   }
		44 | 
		45 |   allowed_triggers = {
		46 |     "eventbridge" = {
		47 |       principal  = "events.amazonaws.com"
		48 |       source_arn = aws_cloudwatch_event_rule.grafana_api_key_rotator.arn
		49 |     }
		50 |   }
		51 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: managed_grafana
	File: /managed-grafana.tf:2-40

		2  | module "managed_grafana" {
		3  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		4  |   #checkov:skip=CKV2_AWS_5:AMG doesn't run in a VPC, so it doesn't need a security group
		5  | 
		6  |   source  = "terraform-aws-modules/managed-service-grafana/aws"
		7  |   version = "2.1.1"
		8  | 
		9  |   name = local.application_name
		10 | 
		11 |   license_type = "ENTERPRISE"
		12 | 
		13 |   account_access_type       = "CURRENT_ACCOUNT"
		14 |   authentication_providers  = ["AWS_SSO"]
		15 |   permission_type           = "SERVICE_MANAGED"
		16 |   data_sources              = ["CLOUDWATCH", "PROMETHEUS"]
		17 |   notification_destinations = ["SNS"]
		18 | 
		19 |   iam_role_policy_arns = [module.amazon_managed_grafana_remote_cloudwatch_iam_policy.arn]
		20 | 
		21 |   configuration = jsonencode({
		22 |     unifiedAlerting = {
		23 |       enabled = true
		24 |     }
		25 |     plugins = {
		26 |       pluginAdminEnabled = true
		27 |     }
		28 |   })
		29 | 
		30 |   role_associations = {
		31 |     "ADMIN" = {
		32 |       "group_ids" = [data.aws_identitystore_group.observability_platform.id]
		33 |     }
		34 |     "EDITOR" = {
		35 |       "group_ids" = [for team in data.aws_identitystore_group.all_identity_centre_teams : team.id]
		36 |     }
		37 |   }
		38 | 
		39 |   tags = local.tags
		40 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: managed_prometheus
	File: /managed-prometheus.tf:1-10

		1  | module "managed_prometheus" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "terraform-aws-modules/managed-service-prometheus/aws"
		5  |   version = "2.2.3"
		6  | 
		7  |   workspace_alias = local.application_name
		8  | 
		9  |   tags = local.tags
		10 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.tenant_configuration.module.prometheus_push.iam_policy
	File: /modules/prometheus/iam-role/main.tf:19-28
	Calling File: /modules/observability-platform/tenant-configuration/main.tf:27-36

		19 | module "iam_policy" {
		20 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		21 | 
		22 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		23 |   version = "5.39.1"
		24 | 
		25 |   name_prefix = "${var.name}-prometheus"
		26 | 
		27 |   policy = data.aws_iam_policy_document.aps.json
		28 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: module.tenant_configuration.module.prometheus_push.iam_role
	File: /modules/prometheus/iam-role/main.tf:30-41
	Calling File: /modules/observability-platform/tenant-configuration/main.tf:27-36

		30 | module "iam_role" {
		31 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		32 | 
		33 |   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
		34 |   version = "5.39.1"
		35 | 
		36 |   create_role             = true
		37 |   role_name               = "${var.name}-prometheus"
		38 |   trusted_role_arns       = ["arn:aws:iam::${var.account_id}:root"]
		39 |   custom_role_policy_arns = [module.iam_policy.arn]
		40 |   role_requires_mfa       = false
		41 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: observability_platform_tenant
	File: /observability-platform.tf:1-11

		1  | module "observability_platform_tenant" {
		2  |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		3  | 
		4  |   source  = "ministryofjustice/observability-platform-tenant/aws"
		5  |   version = "1.0.1"
		6  | 
		7  |   observability_platform_account_id = data.aws_caller_identity.current.account_id
		8  |   enable_xray                       = true
		9  | 
		10 |   tags = local.tags
		11 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/prometheus/iam-role
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-05-16 01:05:09,643 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.39.1 (for external modules, the --download-external-modules flag is required)
2024-05-16 01:05:09,643 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.39.1 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 11, Failed checks: 2, Skipped checks: 2

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: iam_policy
	File: /main.tf:19-28

		19 | module "iam_policy" {
		20 |   #checkov:skip=CKV_TF_1:Module is from Terraform registry
		21 | 
		22 |   source  = "terraform-aws-modules/iam/aws//modules/iam-policy"
		23 |   version = "5.39.1"
		24 | 
		25 |   name_prefix = "${var.name}-prometheus"
		26 | 
		27 |   policy = data.aws_iam_policy_document.aps.json
		28 | }

Check: CKV_TF_2: "Ensure Terraform module sources use a tag with a version number"
	FAILED for resource: iam_role
	File: /main.tf:30-41

		30 | module "iam_role" {
		31 |   #checkov:skip=CKV_TF_1:Module registry does not support commit hashes for versions
		32 | 
		33 |   source  = "terraform-aws-modules/iam/aws//modules/iam-assumable-role"
		34 |   version = "5.39.1"
		35 | 
		36 |   create_role             = true
		37 |   role_name               = "${var.name}-prometheus"
		38 |   trusted_role_arns       = ["arn:aws:iam::${var.account_id}:root"]
		39 |   custom_role_policy_arns = [module.iam_policy.arn]
		40 |   role_requires_mfa       = false
		41 | }


checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/observability-platform terraform/environments/observability-platform/modules/prometheus/iam-role

*****************************

Running tflint in terraform/environments/observability-platform
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/prometheus/iam-role
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/observability-platform/modules/prometheus/iam-role/main.tf line 5:
   5: data "aws_iam_policy_document" "aps" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=2

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/observability-platform terraform/environments/observability-platform/modules/prometheus/iam-role

*****************************

Running Trivy in terraform/environments/observability-platform
2024-05-16T01:04:57Z	INFO	Need to update DB
2024-05-16T01:04:57Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-05-16T01:04:59Z	INFO	Vulnerability scanning is enabled
2024-05-16T01:04:59Z	INFO	Misconfiguration scanning is enabled
2024-05-16T01:04:59Z	INFO	Need to update the built-in policies
2024-05-16T01:04:59Z	INFO	Downloading the built-in policies...
50.41 KiB / 50.41 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-05-16T01:05:00Z	INFO	Secret scanning is enabled
2024-05-16T01:05:00Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-16T01:05:00Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-16T01:05:02Z	INFO	Number of language-specific files	num=0
2024-05-16T01:05:02Z	INFO	Detected config files	num=6

git::https:/github.com/terraform-aws-modules/terraform-aws-lambda?ref=8a370bab3e5eb6425ee6b8fbb8fbde00ab300f7a/iam.tf (terraform)
=================================================================================================================================
Tests: 13 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 13)
Failures: 0 (HIGH: 0, CRITICAL: 0)


git::https:/github.com/terraform-aws-modules/terraform-aws-managed-service-grafana?ref=14dc9a17539887d8c92456b6d4464f379d8c7bd1/main.tf (terraform)
===================================================================================================================================================
Tests: 29 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 29)
Failures: 0 (HIGH: 0, CRITICAL: 0)


iam-policies.tf (terraform)
===========================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/observability-platform/modules/prometheus/iam-role
2024-05-16T01:05:02Z	INFO	Vulnerability scanning is enabled
2024-05-16T01:05:02Z	INFO	Misconfiguration scanning is enabled
2024-05-16T01:05:02Z	INFO	Secret scanning is enabled
2024-05-16T01:05:02Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-05-16T01:05:02Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.51/docs/scanner/secret/#recommendation for faster secret detection
2024-05-16T01:05:03Z	INFO	Number of language-specific files	num=0
2024-05-16T01:05:03Z	INFO	Detected config files	num=2

main.tf (terraform)
===================
Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1)
Failures: 0 (HIGH: 0, CRITICAL: 0)

trivy_exitcode=0

@SteveLinden SteveLinden merged commit 22a6ee6 into main May 17, 2024
11 of 14 checks passed
@SteveLinden SteveLinden deleted the dependabot/terraform/terraform/environments/observability-platform/terraform-aws-modules/iam/aws-5.39.1 branch May 17, 2024 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SteveLinden SteveLinden SteveLinden approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update terraform Pull requests that update Terraform code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@SteveLinden