Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

conditionally create SecurityHub alerting resources #650

Merged
merged 2 commits into from
Nov 6, 2024
Merged

conditionally create SecurityHub alerting resources #650

merged 2 commits into from
Nov 6, 2024

Conversation

sukeshreddyg
Copy link
Contributor

This PR updates the securityhub module to ensure that certain resources, including CloudWatch Event Rules, SNS Topics, and KMS keys, are only created in the eu-west-2 region. The conditional creation is controlled by adding a sechub_alerting_region variable to the module and using count attributes for resources that should only exist in eu-west-2.

@sukeshreddyg sukeshreddyg requested a review from a team as a code owner November 6, 2024 10:09
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 6, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub

Running Trivy in modules/securityhub
2024-11-06T10:11:36Z INFO [vulndb] Need to update DB
2024-11-06T10:11:36Z INFO [vulndb] Downloading vulnerability DB...
2024-11-06T10:11:36Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T10:11:36Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 349.551µs, allowed: 44000/minute\n\n"
2024-11-06T10:11:36Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred:
* OCI repository error: 1 error occurred:
* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 349.551µs, allowed: 44000/minute

trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-06 10:11:39,092 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-11-06 10:11:39,114 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-06 10:11:39,114 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 22, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub

*****************************

Running Trivy in modules/securityhub
2024-11-06T10:11:36Z	INFO	[vulndb] Need to update DB
2024-11-06T10:11:36Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-06T10:11:36Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T10:11:36Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 349.551µs, allowed: 44000/minute\n\n"
2024-11-06T10:11:36Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred:
	* OCI repository error: 1 error occurred:
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 349.551µs, allowed: 44000/minute




trivy_exitcode=1

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Nov 6, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

Running Trivy in modules/securityhub
2024-11-06T12:13:32Z INFO [vulndb] Need to update DB
2024-11-06T12:13:32Z INFO [vulndb] Downloading vulnerability DB...
2024-11-06T12:13:32Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T12:13:32Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 876.009µs, allowed: 44000/minute\n\n"
2024-11-06T12:13:32Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred:
* OCI repository error: 1 error occurred:
* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 876.009µs, allowed: 44000/minute

trivy_exitcode=1

Running Trivy in test/securityhub-test
2024-11-06T12:13:32Z INFO [vulndb] Need to update DB
2024-11-06T12:13:32Z INFO [vulndb] Downloading vulnerability DB...
2024-11-06T12:13:32Z INFO [vulndb] Downloading artifact... repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T12:13:35Z INFO [vulndb] Artifact successfully downloaded repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T12:13:35Z INFO [vuln] Vulnerability scanning is enabled
2024-11-06T12:13:35Z INFO [misconfig] Misconfiguration scanning is enabled
2024-11-06T12:13:35Z INFO [misconfig] Need to update the built-in checks
2024-11-06T12:13:35Z INFO [misconfig] Downloading the built-in checks...
2024-11-06T12:13:35Z ERROR [misconfig] Falling back to embedded checks err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 577.688µs, allowed: 44000/minute\n\n"
2024-11-06T12:13:35Z INFO [secret] Secret scanning is enabled
2024-11-06T12:13:35Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-06T12:13:35Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-06T12:13:36Z INFO [terraform scanner] Scanning root module file_path="."
2024-11-06T12:13:36Z INFO Number of language-specific files num=0
2024-11-06T12:13:36Z INFO Detected config files num=1
trivy_exitcode=1

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Checkov in modules/securityhub
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-06 12:13:38,761 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2024-11-06 12:13:38,777 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-06 12:13:38,777 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 22, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

*****************************

Running Checkov in test/securityhub-test
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-11-06 12:13:41,709 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 vertices
2024-11-06 12:13:41,709 [MainThread  ] [WARNI]  [ArmLocalGraph] created 0 edges
terraform scan results:

Passed checks: 24, Failed checks: 0, Skipped checks: 3


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running tflint in modules/securityhub
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in test/securityhub-test
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
modules/securityhub
test/securityhub-test

*****************************

Running Trivy in modules/securityhub
2024-11-06T12:13:32Z	INFO	[vulndb] Need to update DB
2024-11-06T12:13:32Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-06T12:13:32Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T12:13:32Z	ERROR	[vulndb] Failed to download artifact	repo="ghcr.io/aquasecurity/trivy-db:2" err="OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 876.009µs, allowed: 44000/minute\n\n"
2024-11-06T12:13:32Z	FATAL	Fatal error	init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source: 1 error occurred:
	* OCI repository error: 1 error occurred:
	* GET https://ghcr.io/v2/aquasecurity/trivy-db/manifests/2: TOOMANYREQUESTS: retry-after: 876.009µs, allowed: 44000/minute




trivy_exitcode=1

*****************************

Running Trivy in test/securityhub-test
2024-11-06T12:13:32Z	INFO	[vulndb] Need to update DB
2024-11-06T12:13:32Z	INFO	[vulndb] Downloading vulnerability DB...
2024-11-06T12:13:32Z	INFO	[vulndb] Downloading artifact...	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T12:13:35Z	INFO	[vulndb] Artifact successfully downloaded	repo="ghcr.io/aquasecurity/trivy-db:2"
2024-11-06T12:13:35Z	INFO	[vuln] Vulnerability scanning is enabled
2024-11-06T12:13:35Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-11-06T12:13:35Z	INFO	[misconfig] Need to update the built-in checks
2024-11-06T12:13:35Z	INFO	[misconfig] Downloading the built-in checks...
2024-11-06T12:13:35Z	ERROR	[misconfig] Falling back to embedded checks	err="failed to download built-in policies: download error: OCI repository error: 1 error occurred:\n\t* GET https://ghcr.io/v2/aquasecurity/trivy-checks/manifests/1: TOOMANYREQUESTS: retry-after: 577.688µs, allowed: 44000/minute\n\n"
2024-11-06T12:13:35Z	INFO	[secret] Secret scanning is enabled
2024-11-06T12:13:35Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-11-06T12:13:35Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2024-11-06T12:13:36Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-11-06T12:13:36Z	INFO	Number of language-specific files	num=0
2024-11-06T12:13:36Z	INFO	Detected config files	num=1
trivy_exitcode=1

richgreen-moj
richgreen-moj approved these changes Nov 6, 2024
View reviewed changes
Copy link
Contributor

@richgreen-moj richgreen-moj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@sukeshreddyg sukeshreddyg merged commit dd8a60b into main Nov 6, 2024
3 of 4 checks passed
@sukeshreddyg sukeshreddyg deleted the feature/conditional-securityhub-resources branch November 6, 2024 12:47
@sukeshreddyg sukeshreddyg mentioned this pull request Nov 7, 2024
Closed
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richgreen-moj richgreen-moj richgreen-moj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sukeshreddyg @richgreen-moj