less permissive db permissions #4531

wullub · 2024-01-12T16:55:28Z

less permissive db permissions

github-actions · 2024-01-12T16:57:39Z

`Checkov Scan` Success

Show Output

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

`Trivy Scan`

Show Output

github-actions · 2024-01-15T12:25:54Z

`TFSEC Scan` Success

Show Output

```hcl

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 1.506221ms
parsing 148.617356ms
adaptation 110.797µs
checks 3.255124ms
total 153.489498ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 5
blocks processed 269
files read 71

results
──────────────────────────────────────────
passed 1
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 90, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan`

Show Output

github-actions · 2024-01-15T12:30:04Z

`TFSEC Scan` Success

Show Output

```hcl

TFSEC will check the following folders:
terraform/environments/nomis-data-hub

Running TFSEC in terraform/environments/nomis-data-hub
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 1.45756ms
parsing 141.550039ms
adaptation 114.994µs
checks 3.694093ms
total 146.816686ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 5
blocks processed 269
files read 71

results
──────────────────────────────────────────
passed 1
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running Checkov in terraform/environments/nomis-data-hub
terraform scan results:

Passed checks: 90, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/nomis-data-hub

*****************************

Running tflint in terraform/environments/nomis-data-hub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan`

Show Output

github-actions · 2024-01-15T15:44:44Z

`TFSEC Scan` Success

Show Output

```hcl

TFSEC will check the following folders:
terraform/environments/hmpps-domain-services

Running TFSEC in terraform/environments/hmpps-domain-services
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 1.491173ms
parsing 145.547042ms
adaptation 110.056µs
checks 3.23156ms
total 150.379831ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 5
blocks processed 278
files read 73

results
──────────────────────────────────────────
passed 1
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running Checkov in terraform/environments/hmpps-domain-services
terraform scan results:

Passed checks: 95, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running tflint in terraform/environments/hmpps-domain-services
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan`

Show Output

github-actions · 2024-01-15T15:58:29Z

`TFSEC Scan` Success

Show Output

```hcl

TFSEC will check the following folders:
terraform/environments/hmpps-domain-services

Running TFSEC in terraform/environments/hmpps-domain-services
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 1.524286ms
parsing 159.727844ms
adaptation 111.908µs
checks 3.084222ms
total 164.44826ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 5
blocks processed 279
files read 73

results
──────────────────────────────────────────
passed 1
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running Checkov in terraform/environments/hmpps-domain-services
terraform scan results:

Passed checks: 95, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running tflint in terraform/environments/hmpps-domain-services
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan`

Show Output

github-actions · 2024-01-15T16:13:01Z

`TFSEC Scan` Success

Show Output

```hcl

TFSEC will check the following folders:
terraform/environments/hmpps-domain-services

Running TFSEC in terraform/environments/hmpps-domain-services
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 1.486387ms
parsing 145.315704ms
adaptation 110.117µs
checks 2.922236ms
total 149.834444ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 5
blocks processed 279
files read 73

results
──────────────────────────────────────────
passed 1
ignored 0
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running Checkov in terraform/environments/hmpps-domain-services
terraform scan results:

Passed checks: 95, Failed checks: 0, Skipped checks: 19


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/hmpps-domain-services

*****************************

Running tflint in terraform/environments/hmpps-domain-services
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan`

Show Output

drobinson-moj

Just worry that this is complicating things somewhat with all the extra outputs. I think if we just set enable_ec2_oracle_enterprise_managed_server = true in hmpps-oem account it eliminates a lot of the code. And effectively an OEM manager is managing itself, so needs to have these permissions.

terraform/environments/hmpps-oem/locals.tf

drobinson-moj · 2024-01-15T17:17:55Z

terraform/environments/hmpps-oem/locals.tf

@@ -40,6 +39,58 @@ locals {
  baseline_ec2_autoscaling_groups        = {}
  baseline_ec2_instances                 = {}
  baseline_iam_policies = {
+    OracleEnterpriseManagementSecretsPolicy = module.baseline_presets.iam_policies_all.OracleEnterpriseManagementSecretsPolicy,


If we set enable_ec2_oracle_enterprise_managed_server = true then we don't need this.

drobinson-moj · 2024-01-15T17:18:11Z

terraform/environments/hmpps-oem/locals.tf

@@ -95,6 +146,8 @@ locals {
    }
  }
  baseline_iam_roles = {
+    # allow EC2 instance profiles ability to assume this role
+    EC2OracleEnterpriseManagementSecretsRole = module.baseline_presets.iam_roles_all.EC2OracleEnterpriseManagementSecretsRole


If we set enable_ec2_oracle_enterprise_managed_server = true then we don't need this.

drobinson-moj · 2024-01-15T17:18:34Z

terraform/environments/hmpps-oem/locals.tf

@@ -153,6 +206,7 @@ locals {
        }
      }
    }
+    "account" = module.baseline_presets.ssm_parameters_all.account


If we set enable_ec2_oracle_enterprise_managed_server = true then we don't need this.

drobinson-moj · 2024-01-15T17:20:10Z

terraform/modules/baseline_presets/iam_policy_statements_ec2.tf

-          "arn:aws:s3:::*"
-        ]
-      },
+    DBSecrets = [


Is this being used now - I couldn't see it referenced. But if it is, I'd think about changing the name

drobinson-moj · 2024-01-15T17:20:32Z

terraform/modules/baseline_presets/outputs.tf

+
+  value = local.iam_roles
+}
+


We shouldn't need this (or the other 2 outputs either)

github-actions · 2024-01-16T09:47:45Z

`TFSEC Scan` Success

Show Output

```hcl

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

`Trivy Scan`

Show Output

github-actions · 2024-01-16T09:51:40Z

`TFSEC Scan` Success

Show Output

```hcl

TFSEC will check the following folders:

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:

`Trivy Scan`

Show Output

less permissive db permissions

e240869

less permissive db permissions

wullub requested review from a team as code owners January 12, 2024 16:55

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 12, 2024

wullub temporarily deployed to oasys-development January 12, 2024 16:56 — with GitHub Actions Inactive

wullub temporarily deployed to oasys-test January 12, 2024 16:57 — with GitHub Actions Inactive

Update iam_policies.tf

1606404

wullub had a problem deploying to oasys-development January 15, 2024 12:25 — with GitHub Actions Failure

wullub had a problem deploying to oasys-test January 15, 2024 12:26 — with GitHub Actions Failure

Update locals_test.tf

5162831

wullub requested review from a team as code owners January 15, 2024 12:27

wullub had a problem deploying to hmpps-oem-development January 15, 2024 12:29 — with GitHub Actions Failure

wullub had a problem deploying to oasys-test January 15, 2024 12:29 — with GitHub Actions Failure

wullub had a problem deploying to hmpps-oem-test January 15, 2024 12:29 — with GitHub Actions Failure

wullub had a problem deploying to oasys-development January 15, 2024 12:29 — with GitHub Actions Failure

wullub added 3 commits January 15, 2024 13:11

..

ecefabd

Update locals_test.tf

ed08921

Update locals.tf

1aec36d

wullub had a problem deploying to hmpps-oem-test January 15, 2024 13:56 — with GitHub Actions Failure

wullub had a problem deploying to hmpps-oem-development January 15, 2024 13:57 — with GitHub Actions Failure

wullub had a problem deploying to oasys-development January 15, 2024 14:02 — with GitHub Actions Failure

wullub added 2 commits January 15, 2024 14:11

Update locals.tf

1c78e4f

Merge branch 'main' into less-permissive-db-permissions

b197db8

wullub had a problem deploying to hmpps-oem-development January 15, 2024 14:15 — with GitHub Actions Failure

wullub had a problem deploying to hmpps-oem-test January 15, 2024 14:15 — with GitHub Actions Failure

wullub had a problem deploying to oasys-development January 15, 2024 14:15 — with GitHub Actions Failure

..

9f28b57

wullub had a problem deploying to oasys-development January 15, 2024 15:43 — with GitHub Actions Failure

wullub had a problem deploying to hmpps-oem-test January 15, 2024 15:44 — with GitHub Actions Failure

wullub had a problem deploying to hmpps-oem-development January 15, 2024 15:44 — with GitHub Actions Failure

wullub had a problem deploying to oasys-test January 15, 2024 15:44 — with GitHub Actions Failure

..

33006c1

wullub had a problem deploying to hmpps-oem-development January 15, 2024 15:57 — with GitHub Actions Failure

wullub had a problem deploying to oasys-development January 15, 2024 15:57 — with GitHub Actions Failure

wullub had a problem deploying to oasys-test January 15, 2024 15:57 — with GitHub Actions Failure

wullub had a problem deploying to hmpps-oem-test January 15, 2024 15:58 — with GitHub Actions Failure

..

d6ae68d

wullub temporarily deployed to oasys-development January 15, 2024 16:12 — with GitHub Actions Inactive

wullub had a problem deploying to hmpps-oem-development January 15, 2024 16:12 — with GitHub Actions Failure

wullub had a problem deploying to hmpps-oem-test January 15, 2024 16:12 — with GitHub Actions Failure

wullub temporarily deployed to oasys-test January 15, 2024 16:12 — with GitHub Actions Inactive

drobinson-moj reviewed Jan 15, 2024

View reviewed changes

..

934d3cf

wullub had a problem deploying to hmpps-oem-test January 16, 2024 09:47 — with GitHub Actions Failure

wullub had a problem deploying to hmpps-oem-development January 16, 2024 09:47 — with GitHub Actions Failure

Update outputs.tf

59a31f9

wullub temporarily deployed to hmpps-oem-development January 16, 2024 09:51 — with GitHub Actions Inactive

wullub temporarily deployed to hmpps-oem-test January 16, 2024 09:51 — with GitHub Actions Inactive

drobinson-moj approved these changes Jan 16, 2024

View reviewed changes

wullub merged commit 1b92887 into main Jan 16, 2024
26 checks passed

wullub deleted the less-permissive-db-permissions branch January 16, 2024 10:01

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

less permissive db permissions #4531

less permissive db permissions #4531

wullub commented Jan 12, 2024

github-actions bot commented Jan 12, 2024

github-actions bot commented Jan 15, 2024

You can read more here:
aquasecurity/tfsec#1994

github-actions bot commented Jan 15, 2024

You can read more here:
aquasecurity/tfsec#1994

github-actions bot commented Jan 15, 2024

You can read more here:
aquasecurity/tfsec#1994

github-actions bot commented Jan 15, 2024

You can read more here:
aquasecurity/tfsec#1994

github-actions bot commented Jan 15, 2024

You can read more here:
aquasecurity/tfsec#1994

drobinson-moj left a comment

drobinson-moj Jan 15, 2024

drobinson-moj Jan 15, 2024

drobinson-moj Jan 15, 2024

drobinson-moj Jan 15, 2024

drobinson-moj Jan 15, 2024

github-actions bot commented Jan 16, 2024

github-actions bot commented Jan 16, 2024

less permissive db permissions #4531

less permissive db permissions #4531

Conversation

wullub commented Jan 12, 2024

github-actions bot commented Jan 12, 2024

Checkov Scan Success

CTFLint Scan Success

Trivy Scan

github-actions bot commented Jan 15, 2024

TFSEC Scan Success

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Success

Trivy Scan

github-actions bot commented Jan 15, 2024

TFSEC Scan Success

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Success

Trivy Scan

github-actions bot commented Jan 15, 2024

TFSEC Scan Success

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Success

Trivy Scan

github-actions bot commented Jan 15, 2024

TFSEC Scan Success

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Success

Trivy Scan

github-actions bot commented Jan 15, 2024

TFSEC Scan Success

You can read more here: aquasecurity/tfsec#1994

CTFLint Scan Success

Trivy Scan

drobinson-moj left a comment

Choose a reason for hiding this comment

drobinson-moj Jan 15, 2024

Choose a reason for hiding this comment

drobinson-moj Jan 15, 2024

Choose a reason for hiding this comment

drobinson-moj Jan 15, 2024

Choose a reason for hiding this comment

drobinson-moj Jan 15, 2024

Choose a reason for hiding this comment

drobinson-moj Jan 15, 2024

Choose a reason for hiding this comment

github-actions bot commented Jan 16, 2024

TFSEC Scan Success

CTFLint Scan Success

Trivy Scan

github-actions bot commented Jan 16, 2024

TFSEC Scan Success

CTFLint Scan Success

Trivy Scan

`Checkov Scan` Success

`CTFLint Scan` Success

`Trivy Scan`

`TFSEC Scan` Success

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Success

`Trivy Scan`

`TFSEC Scan` Success

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Success

`Trivy Scan`

`TFSEC Scan` Success

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Success

`Trivy Scan`

`TFSEC Scan` Success

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Success

`Trivy Scan`

`TFSEC Scan` Success

You can read more here:
aquasecurity/tfsec#1994

`CTFLint Scan` Success

`Trivy Scan`

`TFSEC Scan` Success

`CTFLint Scan` Success

`Trivy Scan`

`TFSEC Scan` Success

`CTFLint Scan` Success

`Trivy Scan`