Skip to content

Commit

Permalink
DPR2-1136: Add new reconciliation job parameters (#8334)
Browse files Browse the repository at this point in the history
* DPR2-1136: Configurenon-domain reconciliation job to fail job if reconciliation fails and to not write cloudwatch metrics.

* DPR2-1136: Comments to ignore checkov checks as requested by Devops

* DPR2-1136: tflint changes as requested by devops

* DPR2-1136: Set type of redshift_ingress_sec_rules to map of map of any

* DPR2-1136: More checkov ignores
  • Loading branch information
tom-ogle-moj authored Oct 18, 2024
1 parent 7fb642e commit 62b6b3d
Show file tree
Hide file tree
Showing 9 changed files with 61 additions and 1 deletion.
2 changes: 2 additions & 0 deletions terraform/environments/digital-prison-reporting/main.tf
Original file line number Diff line number Diff line change
Expand Up @@ -637,6 +637,8 @@ module "glue_data_reconciliation_job" {
"--dpr.reconciliation.datasource.glue.connection.name" = aws_glue_connection.glue_nomis_connection[0].name
"--dpr.reconciliation.datasource.source.schema.name" = "OMS_OWNER"
"--dpr.reconciliation.datasource.should.uppercase.tablenames" = "true"
"--dpr.reconciliation.fail.job.if.checks.fail" = "true"
"--dpr.reconciliation.report.results.to.cloudwatch" = "false"
})
}

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@ resource "aws_db_subnet_group" "this" {
resource "aws_rds_cluster" "this" {
#checkov:skip=CKV2_AWS_8: "Ignore - Ensure that RDS clusters has backup plan of AWS Backup"
#checkov:skip=CKV2_AWS_27: "Ignore - Ensure Postgres RDS as aws_rds_cluster has Query Logging enabled"
#checkov:skip=CKV_AWS_324: "Ensure that RDS Cluster log capture is enabled"
count = local.create ? 1 : 0

allocated_storage = var.allocated_storage
Expand Down Expand Up @@ -160,6 +161,7 @@ resource "aws_rds_cluster" "this" {
################################################################################

resource "aws_rds_cluster_instance" "this" {
#checkov:skip=CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
for_each = { for k, v in var.instances : k => v if local.create && !local.is_serverless }

apply_immediately = try(each.value.apply_immediately, var.apply_immediately)
Expand Down Expand Up @@ -419,6 +421,7 @@ resource "aws_db_parameter_group" "this" {
# Log groups will not be created if using a cluster identifier prefix
resource "aws_cloudwatch_log_group" "this" {
#checkov:skip=CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS, Skipping for Timebeing in view of Cost Savings”
#checkov:skip=CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"

for_each = toset([for log in var.enabled_cloudwatch_logs_exports : log if local.create && var.create_cloudwatch_log_group && !var.cluster_use_name_prefix])

Expand Down Expand Up @@ -451,6 +454,7 @@ resource "aws_rds_cluster_activity_stream" "this" {
################################################################################

resource "aws_secretsmanager_secret_rotation" "this" {
#checkov:skip=CKV_AWS_304: "Ensure Secrets Manager secrets should be rotated within 90 days"
count = local.create && var.manage_master_user_password && var.manage_master_user_password_rotation ? 1 : 0

secret_id = aws_rds_cluster.this[0].master_user_secret[0].secret_arn
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
terraform {
required_providers {
aws = {
version = "~> 5.0"
source = "hashicorp/aws"
}

}
required_version = "~> 1.0"
}
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
resource "aws_secretsmanager_secret" "password" {
#checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
#checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"

name = "${var.name}-password"
}
Expand Down Expand Up @@ -39,6 +40,13 @@ resource "aws_db_instance" "default" {
#checkov:skip=CKV2_AWS_30:”Query Logging is not required"
#checkov:skip=CKV2_AWS_60: “Ignore -Ensure RDS instance with copy tags to snapshots is enabled"
#checkov:skip=CKV_AWS_129: "Ensure that respective logs of Amazon Relational Database Service (Amazon RDS) are enabled"
#checkov:skip=CKV_AWS_161: "Ensure RDS database has IAM authentication enabled"
#checkov:skip=CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
#checkov:skip=CKV_AWS_157: "Ensure that RDS instances have Multi-AZ enabled"
#checkov:skip=CKV_AWS_118: "Ensure that enhanced monitoring is enabled for Amazon RDS instances"
#checkov:skip=CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
#checkov:skip=CKV_AWS_226: "Ensure DB instance gets all minor upgrades automatically"
#checkov:skip=CKV_AWS_293: "Ensure that AWS database instances have deletion protection enabled"

count = var.enable_rds ? 1 : 0
identifier = var.name
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
terraform {
required_providers {
aws = {
version = "~> 5.0"
source = "hashicorp/aws"
}

random = {
version = ">= 3.0.0"
source = "hashicorp/random"
}

}
required_version = "~> 1.0"
}
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ resource "aws_redshift_cluster" "this" {
count = var.create_redshift_cluster ? 1 : 0

#checkov:skip=CKV_AWS_105: "Ensure Redshift uses SSL"
#checkov:skip=CKV_AWS_71: "Ensure Redshift Cluster logging is enabled"
#checkov:skip=CKV_AWS_321: "Ensure Redshift clusters use enhanced VPC routing"

cluster_identifier = var.name
allow_version_upgrade = var.allow_version_upgrade
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ resource "random_string" "unique_suffix" {

resource "aws_secretsmanager_secret" "redshift_connection" {
#checkov:skip=CKV2_AWS_57: “Ignore - Ensure Secrets Manager secrets should have automatic rotation enabled"
#checkov:skip=CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"

description = "Redshift connect details"
name = "${var.project_id}-redshift-secret-${var.env}"
Expand Down
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
variable "vpc" {}
variable "vpc" {
type = string
}

variable "project_id" {
type = string
Expand All @@ -18,6 +20,7 @@ variable "cidr" {

variable "redshift_ingress_sec_rules" {
description = "A Map of map of security group Rules to associate with"
type = map(map(any))
default = {
"redshift-tcp" = {
"from_port" = 5439,
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
terraform {
required_providers {
aws = {
version = "~> 5.0"
source = "hashicorp/aws"
}

random = {
version = ">= 3.0.0"
source = "hashicorp/random"
}

}
required_version = "~> 1.0"
}

0 comments on commit 62b6b3d

Please sign in to comment.