[u] Scan GitLab EC2 instance with Amazon Inspector (#4189, PR #5066)

DataBiosphere · Mar 19, 2023 · dc53ac4 · dc53ac4
2 parents 3b8792c + eaf2b0c
commit dc53ac4
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/UPGRADING.rst b/UPGRADING.rst
@@ -27,7 +27,10 @@ Operator
 ~~~~~~~~
 
 Manually deploy the ``gitlab`` component of any main deployment just *before*
-pushing the merge commit to the GitLab instance in that deployment.
+pushing the merge commit to the GitLab instance in that deployment. The
+Terraform code that enables Amazon Inspector is currently unreliable. Check
+the Amazon Inspector console to see if it is enabled. If you see a *Get
+started …* button, it is not, and you need to repeat this step.
 
 
 #5019 Index public & mock-MA snapshots in anvilprod

diff --git a/terraform/gitlab/gitlab.tf.json.template.py b/terraform/gitlab/gitlab.tf.json.template.py
@@ -1228,6 +1228,11 @@ def qq(*words):
                 })
             },
         },
+        'aws_iam_service_linked_role': {
+            'gitlab_ssm': {
+                'aws_service_name': 'ssm.amazonaws.com',
+            }
+        },
         'aws_iam_role_policy_attachment': {
             'gitlab_iam': {
                 'role': '${aws_iam_role.gitlab.name}',
@@ -1255,7 +1260,8 @@ def qq(*words):
         'aws_inspector2_enabler': {
             'gitlab': {
                 'account_ids': [aws.account],
-                'resource_types': ['ECR', 'EC2']
+                'resource_types': ['ECR', 'EC2'],
+                'depends_on': ['aws_iam_service_linked_role.gitlab_ssm']
             }
         },
         'google_service_account': {