Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

👑 Modernisation Platform on Observability Platform #9237

Merged
merged 2 commits into from
Jan 7, 2025
Merged

👑 Modernisation Platform on Observability Platform #9237

merged 2 commits into from
Jan 7, 2025

Conversation

jacobwoffenden
Copy link
Member

This pull request:

Signed-off-by: Jacob Woffenden jacob.woffenden@justice.gov.uk

@jacobwoffenden
Maybe this will work
4eab6e2 
Signed-off-by: GitHub <noreply@github.com>
@jacobwoffenden jacobwoffenden self-assigned this Jan 7, 2025
@jacobwoffenden jacobwoffenden requested review from a team as code owners January 7, 2025 12:11
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 7, 2025
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration

Running Trivy in terraform/environments/observability-platform
2025-01-07T12:13:46Z INFO [vulndb] Need to update DB
2025-01-07T12:13:46Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T12:13:46Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:13:49Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:13:49Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T12:13:49Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T12:13:49Z INFO [misconfig] Need to update the built-in checks
2025-01-07T12:13:49Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T12:13:49Z INFO [secret] Secret scanning is enabled
2025-01-07T12:13:49Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:13:49Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:13:50Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T12:13:50Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T12:13:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_identitystore_group.all_identity_centre_teams" value="cty.NilVal"
2025-01-07T12:13:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.contact_point_pagerduty" value="cty.NilVal"
2025-01-07T12:13:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.contact_point_slack" value="cty.NilVal"
2025-01-07T12:13:50Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.tenant_configuration" value="cty.NilVal"
2025-01-07T12:13:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="grafana_notification_policy.root" err="2 errors occurred:\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:50Z ERROR [terraform evaluator] Failed to expand dynamic block. block="grafana_notification_policy.root" err="2 errors occurred:\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="git::https:/github.com/terraform-aws-modules/terraform-aws-lambda?ref=f48be17ec03a53b85b7da1f2ad8787792f2425ee/main.tf:24-166"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:2-7"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:10-15"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:18-23"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:26-31"
2025-01-07T12:13:52Z INFO Number of language-specific files num=0
2025-01-07T12:13:52Z INFO Detected config files num=3
trivy_exitcode=0

Running Trivy in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
2025-01-07T12:13:52Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T12:13:52Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T12:13:52Z INFO [secret] Secret scanning is enabled
2025-01-07T12:13:52Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:13:52Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:13:53Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T12:13:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="environment_management, identity_centre_team, name"
2025-01-07T12:13:53Z INFO Number of language-specific files num=0
2025-01-07T12:13:53Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration

*****************************

Running Checkov in terraform/environments/observability-platform
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 12:13:55,761 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:55,761 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-grafana/aws:2.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:55,761 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.7.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:55,761 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:55,761 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:2.2.3 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:55,761 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 30, Failed checks: 0, Skipped checks: 22


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 11, Failed checks: 0, Skipped checks: 4


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration

*****************************

Running tflint in terraform/environments/observability-platform
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration

*****************************

Running Trivy in terraform/environments/observability-platform
2025-01-07T12:13:46Z	INFO	[vulndb] Need to update DB
2025-01-07T12:13:46Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T12:13:46Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:13:49Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:13:49Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T12:13:49Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T12:13:49Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T12:13:49Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T12:13:49Z	INFO	[secret] Secret scanning is enabled
2025-01-07T12:13:49Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:13:49Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:13:50Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T12:13:50Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T12:13:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_identitystore_group.all_identity_centre_teams" value="cty.NilVal"
2025-01-07T12:13:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.contact_point_pagerduty" value="cty.NilVal"
2025-01-07T12:13:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.contact_point_slack" value="cty.NilVal"
2025-01-07T12:13:50Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.tenant_configuration" value="cty.NilVal"
2025-01-07T12:13:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="grafana_notification_policy.root" err="2 errors occurred:\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:50Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="grafana_notification_policy.root" err="2 errors occurred:\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="git::https:/github.com/terraform-aws-modules/terraform-aws-lambda?ref=f48be17ec03a53b85b7da1f2ad8787792f2425ee/main.tf:24-166"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:2-7"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:10-15"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:18-23"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:26-31"
2025-01-07T12:13:52Z	INFO	Number of language-specific files	num=0
2025-01-07T12:13:52Z	INFO	Detected config files	num=3
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
2025-01-07T12:13:52Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T12:13:52Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T12:13:52Z	INFO	[secret] Secret scanning is enabled
2025-01-07T12:13:52Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:13:52Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:13:53Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T12:13:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="environment_management, identity_centre_team, name"
2025-01-07T12:13:53Z	INFO	Number of language-specific files	num=0
2025-01-07T12:13:53Z	INFO	Detected config files	num=1
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jan 7, 2025

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration

Running Trivy in terraform/environments/observability-platform
2025-01-07T12:13:43Z INFO [vulndb] Need to update DB
2025-01-07T12:13:43Z INFO [vulndb] Downloading vulnerability DB...
2025-01-07T12:13:43Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:13:45Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:13:45Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T12:13:45Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T12:13:45Z INFO [misconfig] Need to update the built-in checks
2025-01-07T12:13:45Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T12:13:46Z INFO [secret] Secret scanning is enabled
2025-01-07T12:13:46Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:13:46Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:13:47Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T12:13:47Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-07T12:13:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="data.aws_identitystore_group.all_identity_centre_teams" value="cty.NilVal"
2025-01-07T12:13:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.contact_point_pagerduty" value="cty.NilVal"
2025-01-07T12:13:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.contact_point_slack" value="cty.NilVal"
2025-01-07T12:13:47Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.tenant_configuration" value="cty.NilVal"
2025-01-07T12:13:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="grafana_notification_policy.root" err="2 errors occurred:\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:47Z ERROR [terraform evaluator] Failed to expand dynamic block. block="grafana_notification_policy.root" err="2 errors occurred:\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z ERROR [terraform evaluator] Failed to expand dynamic block. block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-lambda-enable-tracing" range="git::https:/github.com/terraform-aws-modules/terraform-aws-lambda?ref=f48be17ec03a53b85b7da1f2ad8787792f2425ee/main.tf:24-166"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:2-7"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:10-15"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:18-23"
2025-01-07T12:13:52Z INFO [terraform executor] Ignore finding rule="aws-ssm-secret-use-customer-key" range="secrets.tf:26-31"
2025-01-07T12:13:52Z INFO Number of language-specific files num=0
2025-01-07T12:13:52Z INFO Detected config files num=3
trivy_exitcode=0

Running Trivy in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
2025-01-07T12:13:52Z INFO [vuln] Vulnerability scanning is enabled
2025-01-07T12:13:52Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-07T12:13:52Z INFO [secret] Secret scanning is enabled
2025-01-07T12:13:52Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:13:52Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:13:53Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-07T12:13:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="environment_management, identity_centre_team, name"
2025-01-07T12:13:53Z INFO Number of language-specific files num=0
2025-01-07T12:13:53Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration

*****************************

Running Checkov in terraform/environments/observability-platform
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-07 12:13:56,829 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-policy:5.44.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:56,830 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-grafana/aws:2.1.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:56,830 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/lambda/aws:7.7.1 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:56,830 [MainThread  ] [WARNI]  Failed to download module ministryofjustice/observability-platform-tenant/aws:1.2.0 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:56,830 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/managed-service-prometheus/aws:2.2.3 (for external modules, the --download-external-modules flag is required)
2025-01-07 12:13:56,830 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-assumable-role:5.44.0 (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 30, Failed checks: 0, Skipped checks: 22


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 11, Failed checks: 0, Skipped checks: 4


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration

*****************************

Running tflint in terraform/environments/observability-platform
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration

*****************************

Running Trivy in terraform/environments/observability-platform
2025-01-07T12:13:43Z	INFO	[vulndb] Need to update DB
2025-01-07T12:13:43Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-07T12:13:43Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:13:45Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-07T12:13:45Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T12:13:45Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T12:13:45Z	INFO	[misconfig] Need to update the built-in checks
2025-01-07T12:13:45Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-07T12:13:46Z	INFO	[secret] Secret scanning is enabled
2025-01-07T12:13:46Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:13:46Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:13:47Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T12:13:47Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-07T12:13:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="data.aws_identitystore_group.all_identity_centre_teams" value="cty.NilVal"
2025-01-07T12:13:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.contact_point_pagerduty" value="cty.NilVal"
2025-01-07T12:13:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.contact_point_slack" value="cty.NilVal"
2025-01-07T12:13:47Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.tenant_configuration" value="cty.NilVal"
2025-01-07T12:13:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="grafana_notification_policy.root" err="2 errors occurred:\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:47Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="grafana_notification_policy.root" err="2 errors occurred:\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\t* invalid for-each in grafana_notification_policy.root.dynamic.policy block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	ERROR	[terraform evaluator] Failed to expand dynamic block.	block="module.grafana_api_key_rotator.aws_lambda_function.this[0]" err="1 error occurred:\n\t* invalid for-each in aws_lambda_function.this[0].dynamic.logging_config block: cannot use a cty.NilVal value in for_each. An iterable collection is required\n\n"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-lambda-enable-tracing" range="git::https:/github.com/terraform-aws-modules/terraform-aws-lambda?ref=f48be17ec03a53b85b7da1f2ad8787792f2425ee/main.tf:24-166"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:2-7"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:10-15"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:18-23"
2025-01-07T12:13:52Z	INFO	[terraform executor] Ignore finding	rule="aws-ssm-secret-use-customer-key" range="secrets.tf:26-31"
2025-01-07T12:13:52Z	INFO	Number of language-specific files	num=0
2025-01-07T12:13:52Z	INFO	Detected config files	num=3
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
2025-01-07T12:13:52Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-07T12:13:52Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-07T12:13:52Z	INFO	[secret] Secret scanning is enabled
2025-01-07T12:13:52Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-07T12:13:52Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-07T12:13:53Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-07T12:13:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="environment_management, identity_centre_team, name"
2025-01-07T12:13:53Z	INFO	Number of language-specific files	num=0
2025-01-07T12:13:53Z	INFO	Detected config files	num=1
trivy_exitcode=0

@ASTRobinson ASTRobinson temporarily deployed to observability-platform-development January 7, 2025 12:16 — with GitHub Actions Inactive
@ASTRobinson ASTRobinson merged commit a6950f8 into main Jan 7, 2025
12 checks passed
@ASTRobinson ASTRobinson deleted the feat/mp-in-op branch January 7, 2025 12:19
@ASTRobinson ASTRobinson mentioned this pull request Jan 7, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ASTRobinson ASTRobinson ASTRobinson approved these changes

Assignees

@jacobwoffenden jacobwoffenden

Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Observability Platform - Add the modernisation-platform aws account as a cloudwatch data source
2 participants
@jacobwoffenden @ASTRobinson