Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Conditionally create SecurityHub alerting resources #648

Closed
wants to merge 4 commits into from
Closed

Conditionally create SecurityHub alerting resources #648

wants to merge 4 commits into from

Conversation

sukeshreddyg
Copy link
Contributor

This PR updates the securityhub module to ensure that certain resources, including CloudWatch Event Rules, SNS Topics, and KMS keys, are only created in the eu-west-2 region. The conditional creation is controlled by adding a sechub_alerting_region variable to the module and using count attributes for resources that should only exist in eu-west-2.

@sukeshreddyg sukeshreddyg requested a review from a team as a code owner November 5, 2024 10:33
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 5, 2024

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub

Running Trivy in modules/securityhub
2024-11-05T10:35:53Z INFO [vulndb] Need to update DB
2024-11-05T10:35:53Z INFO [vulndb] Downloading vulnerability DB...
2024-11-05T10:35:53Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-05T10:35:55Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-05T10:35:55Z INFO [vuln] Vulnerability scanning is enabled
2024-11-05T10:35:55Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-05T10:35:55Z INFO [misconfig] Need to update the built-in checks
2024-11-05T10:35:55Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-05T10:35:55Z INFO [secret] Secret scanning is enabled
2024-11-05T10:35:55Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-05T10:35:55Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-05T10:35:56Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-05T10:35:57Z INFO Number of language-specific files num=0
2024-11-05T10:35:57Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-05 10:35:59,766 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-11-05 10:35:59,779 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-05 10:35:59,780 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub

*****************************

Running Trivy in modules/securityhub
2024-11-05T10:35:53Z	INFO	[vulndb] Need to update DB
2024-11-05T10:35:53Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-05T10:35:53Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-05T10:35:55Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-05T10:35:55Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-05T10:35:55Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-05T10:35:55Z	INFO	[misconfig] Need to update the built-in checks
2024-11-05T10:35:55Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-05T10:35:55Z	INFO	[secret] Secret scanning is enabled
2024-11-05T10:35:55Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-05T10:35:55Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-05T10:35:56Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-05T10:35:57Z	INFO	Number of language-specific files	num=0
2024-11-05T10:35:57Z	INFO	Detected config files	num=1
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 5, 2024

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub

Running Trivy in modules/securityhub
2024-11-05T11:12:16Z INFO [vulndb] Need to update DB
2024-11-05T11:12:16Z INFO [vulndb] Downloading vulnerability DB...
2024-11-05T11:12:16Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-05T11:12:18Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-05T11:12:18Z INFO [vuln] Vulnerability scanning is enabled
2024-11-05T11:12:18Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-05T11:12:18Z INFO [misconfig] Need to update the built-in checks
2024-11-05T11:12:18Z INFO [misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-05T11:12:18Z INFO [secret] Secret scanning is enabled
2024-11-05T11:12:18Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-05T11:12:18Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-05T11:12:19Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-05T11:12:19Z INFO Number of language-specific files num=0
2024-11-05T11:12:19Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-05 11:12:22,275 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-11-05 11:12:22,289 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-05 11:12:22,289 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 26, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub

*****************************

Running Trivy in modules/securityhub
2024-11-05T11:12:16Z	INFO	[vulndb] Need to update DB
2024-11-05T11:12:16Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-05T11:12:16Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-05T11:12:18Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-05T11:12:18Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-05T11:12:18Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-05T11:12:18Z	INFO	[misconfig] Need to update the built-in checks
2024-11-05T11:12:18Z	INFO	[misconfig] Downloading the built-in checks...
160.60 KiB / 160.60 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-11-05T11:12:18Z	INFO	[secret] Secret scanning is enabled
2024-11-05T11:12:18Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-05T11:12:18Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-05T11:12:19Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-05T11:12:19Z	INFO	Number of language-specific files	num=0
2024-11-05T11:12:19Z	INFO	Detected config files	num=1
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 6, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub

Running Trivy in modules/securityhub
2024-11-06T09:54:16Z INFO [vulndb] Need to update DB
2024-11-06T09:54:16Z INFO [vulndb] Downloading vulnerability DB...
2024-11-06T09:54:16Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T09:54:16Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 11.086µs, allowed: 44000/minute\n\n"
2024-11-06T09:54:16Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred:
* OCI repository error: 1 error occurred:
* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 11.086µs, allowed: 44000/minute

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-06 09:54:19,405 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-11-06 09:54:19,425 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-06 09:54:19,425 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 22, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub

*****************************

Running Trivy in modules/securityhub
2024-11-06T09:54:16Z	INFO	[vulndb] Need to update DB
2024-11-06T09:54:16Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-06T09:54:16Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T09:54:16Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 11.086µs, allowed: 44000/minute\n\n"
2024-11-06T09:54:16Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred:
	* OCI repository error: 1 error occurred:
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 11.086µs, allowed: 44000/minute




trivy_exitcode=1

@sukeshreddyg sukeshreddyg deleted the feature/conditional-securityhub-resources branch November 6, 2024 10:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sukeshreddyg