Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inspector ECR scanning settings are not managed #6358

Open
hannes-ucsc opened this issue Jun 25, 2024 · 2 comments
Open

Inspector ECR scanning settings are not managed #6358

hannes-ucsc opened this issue Jun 25, 2024 · 2 comments
Labels
- [priority] Medium bug [type] A defect preventing use of the system as specified debt [type] A defect incurring continued engineering cost infra [subject] Project infrastructure like CI/CD, build and deployment scripts orange [process] Done by the Azul team

Comments

@hannes-ucsc
Copy link
Member

hannes-ucsc commented Jun 25, 2024
edited
Loading

… by Terraform, and are inconsistent between accounts, for example

platform-temp-dev

image

platform-anvil-prod

image

Additionally, basic vs enhanced setting and the scan filters are not managed by TF either:

image
@hannes-ucsc hannes-ucsc added the orange [process] Done by the Azul team label Jun 25, 2024
@hannes-ucsc
Copy link
Member Author

hannes-ucsc commented Jun 25, 2024
edited
Loading

We currently use a aws_inspector2_enabler resource to enable Inspector for EC2 and ECR but there is nothing in TF to change the re-scan duration. There is a feature request for it but that request is still open.

The API for updating the re-scan duration is https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateConfiguration.html so we could piggy-back an invocation of that API as a provisioner script for a null resource that depends on (and is triggered by) the aws_inspector2_enabler resource. IIRC, the aws_inspector2_enabler was unreliable and its effect could only be observed after a delay, but we can at least try. Care must be taken for the provisioner script to be robust, idempotent and to reliably report failure so that the delay issue can be dealt with by retrying the deployment with Terraform.

The TF resource for basic vs enhanced setting and the scan filters appears to be

https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/ecr_registry_scanning_configuration

and we should add that, again depending on (and triggered by) the aws_inspector2_enabler resource.

The aws_inspector2_enabler resource currently resides in the GitLab component so we need to move that first. There already is #5760 for that.

@hannes-ucsc hannes-ucsc added bug [type] A defect preventing use of the system as specified infra [subject] Project infrastructure like CI/CD, build and deployment scripts labels Jun 25, 2024
@dsotirho-ucsc
Copy link
Contributor

@hannes-ucsc: "Once we have clarity about the cause of #6354, assignee to manually modify the rescan duration in tempdev to be consistent with the other deployments. After that we can look into programmatically managing the resources as described above."

@dsotirho-ucsc dsotirho-ucsc added debt [type] A defect incurring continued engineering cost - [priority] Medium labels Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
- [priority] Medium bug [type] A defect preventing use of the system as specified debt [type] A defect incurring continued engineering cost infra [subject] Project infrastructure like CI/CD, build and deployment scripts orange [process] Done by the Azul team
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hannes-ucsc @dsotirho-ucsc