Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use name_prefix for uniqueness #636

Merged
merged 3 commits into from
Oct 24, 2024
Merged

Use name_prefix for uniqueness #636

merged 3 commits into from
Oct 24, 2024

Conversation

richgreen-moj
Copy link
Contributor

A reference to the issue / Description of it

ministryofjustice/modernisation-platform#8076

When rolling out v7.9.0 of the baseline I noticed a clash in the naming of KMS key in the core-network-services account.

How does this PR fix the problem?

I've used name_prefix for the KMS Key alias which adds a unique ID to the key.

How has this been tested?

I've tested it by deploying in sprinkler locally.

@richgreen-moj richgreen-moj requested a review from a team as a code owner October 23, 2024 15:43
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

Running Trivy in modules/securityhub
2024-10-23T15:45:03Z INFO [vulndb] Need to update DB
2024-10-23T15:45:03Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T15:45:03Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:45:03Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 680.625µs, allowed: 44000/minute\n\n"
2024-10-23T15:45:03Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

Running Trivy in test/securityhub-test
2024-10-23T15:45:03Z INFO [vulndb] Need to update DB
2024-10-23T15:45:03Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T15:45:03Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:45:03Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:cae74bde88d988a66b3a4fb824b17b48f38c92258dfecbb748975694233641be: TOOMANYREQUESTS: retry-after: 16.093µs, allowed: 44000/minute"
2024-10-23T15:45:03Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=2

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 15:45:06,153 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

*****************************

Running Checkov in test/securityhub-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 28, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/securityhub-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Trivy in modules/securityhub
2024-10-23T15:45:03Z	INFO	[vulndb] Need to update DB
2024-10-23T15:45:03Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T15:45:03Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:45:03Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 680.625µs, allowed: 44000/minute\n\n"
2024-10-23T15:45:03Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

*****************************

Running Trivy in test/securityhub-test
2024-10-23T15:45:03Z	INFO	[vulndb] Need to update DB
2024-10-23T15:45:03Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T15:45:03Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:45:03Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:cae74bde88d988a66b3a4fb824b17b48f38c92258dfecbb748975694233641be: TOOMANYREQUESTS: retry-after: 16.093µs, allowed: 44000/minute"
2024-10-23T15:45:03Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=2

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

Running Trivy in modules/securityhub
2024-10-23T15:48:48Z INFO [vulndb] Need to update DB
2024-10-23T15:48:48Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T15:48:48Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:48:50Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:48:50Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T15:48:50Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T15:48:50Z INFO [misconfig] Need to update the built-in checks
2024-10-23T15:48:50Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-23T15:48:51Z INFO [secret] Secret scanning is enabled
2024-10-23T15:48:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:48:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:48:52Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T15:48:53Z INFO Number of language-specific files num=0
2024-10-23T15:48:53Z INFO Detected config files num=1
trivy_exitcode=0

Running Trivy in test/securityhub-test
2024-10-23T15:48:53Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T15:48:53Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T15:48:53Z INFO [secret] Secret scanning is enabled
2024-10-23T15:48:53Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:48:53Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:48:54Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T15:48:54Z INFO Number of language-specific files num=0
2024-10-23T15:48:54Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 15:48:57,405 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

*****************************

Running Checkov in test/securityhub-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 28, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/securityhub-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Trivy in modules/securityhub
2024-10-23T15:48:48Z	INFO	[vulndb] Need to update DB
2024-10-23T15:48:48Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T15:48:48Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:48:50Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T15:48:50Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T15:48:50Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T15:48:50Z	INFO	[misconfig] Need to update the built-in checks
2024-10-23T15:48:50Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-23T15:48:51Z	INFO	[secret] Secret scanning is enabled
2024-10-23T15:48:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:48:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:48:52Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T15:48:53Z	INFO	Number of language-specific files	num=0
2024-10-23T15:48:53Z	INFO	Detected config files	num=1
trivy_exitcode=0

*****************************

Running Trivy in test/securityhub-test
2024-10-23T15:48:53Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T15:48:53Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T15:48:53Z	INFO	[secret] Secret scanning is enabled
2024-10-23T15:48:53Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T15:48:53Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T15:48:54Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T15:48:54Z	INFO	Number of language-specific files	num=0
2024-10-23T15:48:54Z	INFO	Detected config files	num=1
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub

Running Trivy in modules/securityhub
2024-10-23T17:21:16Z INFO [vulndb] Need to update DB
2024-10-23T17:21:16Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T17:21:16Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T17:21:16Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 945.448µs, allowed: 44000/minute\n\n"
2024-10-23T17:21:16Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 17:21:19,557 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub

*****************************

Running Trivy in modules/securityhub
2024-10-23T17:21:16Z	INFO	[vulndb] Need to update DB
2024-10-23T17:21:16Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T17:21:16Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T17:21:16Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 945.448µs, allowed: 44000/minute\n\n"
2024-10-23T17:21:16Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source
trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub

Running Trivy in modules/securityhub
2024-10-23T17:22:31Z INFO [vulndb] Need to update DB
2024-10-23T17:22:31Z INFO [vulndb] Downloading vulnerability DB...
2024-10-23T17:22:31Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T17:22:34Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T17:22:34Z INFO [vuln] Vulnerability scanning is enabled
2024-10-23T17:22:34Z INFO [misconfig] Misconfiguration scanning is enabled
2024-10-23T17:22:34Z INFO [misconfig] Need to update the built-in checks
2024-10-23T17:22:34Z INFO [misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-23T17:22:34Z INFO [secret] Secret scanning is enabled
2024-10-23T17:22:34Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T17:22:34Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T17:22:35Z INFO [terraform scanner] Scanning root module file_path="."
2024-10-23T17:22:36Z INFO Number of language-specific files num=0
2024-10-23T17:22:36Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-10-23 17:22:39,200 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub

*****************************

Running Trivy in modules/securityhub
2024-10-23T17:22:31Z	INFO	[vulndb] Need to update DB
2024-10-23T17:22:31Z	INFO	[vulndb] Downloading vulnerability DB...
2024-10-23T17:22:31Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T17:22:34Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-10-23T17:22:34Z	INFO	[vuln] Vulnerability scanning is enabled
2024-10-23T17:22:34Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-10-23T17:22:34Z	INFO	[misconfig] Need to update the built-in checks
2024-10-23T17:22:34Z	INFO	[misconfig] Downloading the built-in checks...
156.02 KiB / 156.02 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-10-23T17:22:34Z	INFO	[secret] Secret scanning is enabled
2024-10-23T17:22:34Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-10-23T17:22:34Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.56/docs/scanner/secret#recommendation for faster secret detection
2024-10-23T17:22:35Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-10-23T17:22:36Z	INFO	Number of language-specific files	num=0
2024-10-23T17:22:36Z	INFO	Detected config files	num=1
trivy_exitcode=0

@richgreen-moj richgreen-moj merged commit c27c1e9 into main Oct 24, 2024
4 checks passed
@richgreen-moj richgreen-moj deleted the feature/8067-kms-name branch October 24, 2024 07:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ewastempel ewastempel ewastempel approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@richgreen-moj @ewastempel