Scan GitLab EC2 instance with Amazon Inspector (#4189, #4751)

[hannes-ucsc]

Connected issues: #4189, #4751

Checklist

Author

• PR is a draft
• Target branch is develop
• Name of PR branch matches issues/<GitHub handle of author>/<issue#>-<slug>
• PR title references all connected issues
• PR title matches¹ that of a connected issue _{or comment in PR explains why they're different}
• For each connected issue, there is at least one commit whose title references that issue
• PR is connected to all connected issues via ZenHub
• PR description links to connected issues
• Added partial label to PR _{or this PR completely resolves all connected issues}

¹ when the issue title describes a problem, the corresponding PR
title is Fix: followed by the issue title

Author (reindex, API changes)

• Added r tag to commit title _{or this PR does not require reindexing}
• Added reindex label to PR _{or this PR does not require reindexing}
• Added a (compatible changes) or A (incompatible ones) tag to commit title _{or this PR does not modify the Azul service API}
• Added API label to connected issues _{or this PR does not modify the Azul service API}

Author (chains)

• This PR is blocked by previous PR in the chain _{or this PR is not chained to another PR}
• Added base label to the blocking PR _{or this PR is not chained to another PR}
• Added chained label to this PR _{or this PR is not chained to another PR}

Author (upgrading)

• Documented upgrading of deployments in UPGRADING.rst _{or this PR does not require upgrading}
• Added u tag to commit title _{or this PR does not require upgrading}
• Added upgrade label to PR _{or this PR does not require upgrading}

Author (operator tasks)

• Added checklist items for additional operator tasks _{or this PR does not require additional tasks}

Author (hotfixes)

• Added F tag to main commit title _{or this PR does not include permanent fix for a temporary hotfix}
• Reverted the temporary hotfixes for any connected issues _{or the prod branch has no temporary hotfixes for any connected issues}

Author (before every review)

• Rebased PR branch on develop, squashed old fixups
• Ran make requirements_update _{or this PR does not touch requirements*.txt, common.mk, Makefile and Dockerfile}
• Added R tag to commit title _{or this PR does not touch requirements*.txt}
• Added reqs label to PR _{or this PR does not touch requirements*.txt}
• make integration_test passes in personal deployment _{or this PR does not touch functionality that could break the IT}

Peer reviewer (after requesting changes)

Uncheck the Author (before every review) checklists.

Peer reviewer (after approval)

• PR is not a draft
• Ticket is in Review requested column
• Requested review from primary reviewer
• Assigned PR to primary reviewer

Primary reviewer (after requesting changes)

Uncheck the before every review checklists. Update the N reviews label.

Primary reviewer (after approval)

• Actually approved the PR
• Labeled connected issues as demo or no demo
• Commented on connected issues about demo expectations _{or all connected issues are labeled no demo}
• Decided if PR can be labeled no sandbox
• PR title is appropriate as title of merge commit
• N reviews label is accurate
• Moved ticket to Approved column
• Assigned PR to current operator

Operator (before pushing merge the commit)

• Checked reindex label and r commit title tag
• Checked that demo expectations are clear _{or all connected issues are labeled no demo}
• Squashed PR branch and rebased onto develop
• Sanity-checked history
• Pushed PR branch to GitHub
• Pushed PR branch to GitLab dev and added sandbox label _{or PR is labeled no sandbox}
• Pushed PR branch to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes in sandbox deployment _{or PR is labeled no sandbox}
• Build passes in anvilbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in sandbox deployment _{or PR is labeled no sandbox}
• Reviewed build logs for anomalies in anvilbox deployment _{or PR is labeled no sandbox}
• Deleted unreferenced indices in sandbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices}
• Deleted unreferenced indices in anvilbox _{or this PR does not remove catalogs or otherwise causes unreferenced indices}
• Started reindex in sandbox _{or this PR does not require reindexing sandbox}
• Started reindex in anvilbox _{or this PR does not require reindexing sandbox}
• Checked for failures in sandbox _{or this PR does not require reindexing sandbox}
• Checked for failures in anvilbox _{or this PR does not require reindexing sandbox}
• Added PR reference to merge commit title
• Collected commit title tags in merge commit title
• Moved connected issues to Merged column in ZenHub
• Pushed merge commit to GitHub

Operator (after pushing the merge commit)

• Shortened the PR chain _{or this PR is not labeled base}
• Deployed dev.gitlab
• Pushed merge commit to GitLab dev _{or PR is labeled no sandbox}
• Deployed anvildev.gitlab
• Pushed merge commit to GitLab anvildev _{or PR is labeled no sandbox}
• Build passes on GitLab dev¹
• Reviewed build logs for anomalies on GitLab dev¹
• Build passes on GitLab anvildev¹
• Reviewed build logs for anomalies on GitLab anvildev¹
• Deleted PR branch from GitHub
• Deleted PR branch from GitLab dev
• Deleted PR branch from GitLab anvildev

¹ When pushing the merge commit is skipped due to the PR being
labelled no sandbox, the next build triggered by a PR whose merge commit is
pushed determines this checklist item.

Operator (reindex)

• Deleted unreferenced indices in dev _{or this PR does not remove catalogs or otherwise causes unreferenced indices}
• Deleted unreferenced indices in anvildev _{or this PR does not remove catalogs or otherwise causes unreferenced indices}
• Started reindex in dev _{or this PR does not require reindexing}
• Started reindex in anvildev _{or this PR does not require reindexing}
• Checked for and triaged indexing failures in dev _{or this PR does not require reindexing}
• Checked for and triaged indexing failures in anvildev _{or this PR does not require reindexing}
• Emptied fail queues in dev deployment _{or this PR does not require reindexing}
• Emptied fail queues in anvildev deployment _{or this PR does not require reindexing}

Operator

• Added upgrade items to CL of next promotion PR
• Unassigned PR

Shorthand for review comments

• L line is too long
• W line wrapping is wrong
• Q bad quotes
• F other formatting problem

[coveralls]

Coverage: 84.594%. Remained the same when pulling 59c2a7d on issues/hannes-ucsc/4189-inspector into 920b366 on develop.

[codecov]

Codecov Report

Merging #5058 (59c2a7d) into develop (920b366) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop    #5058   +/-   ##
========================================
  Coverage    84.40%   84.40%           
========================================
  Files          146      146           
  Lines        17783    17783           
========================================
  Hits         15010    15010           
  Misses        2773     2773           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[dsotirho-ucsc]

Pro forma approval

[dsotirho-ucsc]

@hannes-ucsc to investigate the unauthorized error that occurred in anvildev when @danielsotirhos manually deployed the gitlab component there.

[hannes-ucsc]

Investigated and filed ticket with AWS. It is not clear what the cause is. It could be this bug in Terraform or a missing service-linked role for SSM. I created a new PR to create the latter. The TF bug may need to be worked around by retrying the deployment of the gitlab component. I've updated the upgrade instructions accordingly.

Disconnecting this PR from the main issue so that I can connect it to the new PR.