Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New environment for cdpt-ifs #5688

Merged
merged 1 commit into from
Dec 5, 2023
Merged

New environment for cdpt-ifs #5688

merged 1 commit into from
Dec 5, 2023

Conversation

markgov
Copy link
Contributor

@markgov markgov commented Dec 5, 2023

A reference to the issue / Description of it

Environment details
We require an environment that will allow us to host a C# application on .NET Framework 4.8 with SQL Server

Application Name
cdpt-ifs

Description of application
It is a business-critical function for managing fraud cases in different parts of the organisation.

Integrated Fraud System is a .NET Framework 4.8 application built using the MVC design pattern, using a SQL Server database.

How does this PR fix the problem?

This Pr is creating a new account as requested above

Checklist (check x in [ ] of list items)

  • I have performed a self-review of my own code
  • All checks have passed
  • I have made corresponding changes to the documentation
  • Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

{Please write here}

@markgov markgov requested a review from a team as a code owner December 5, 2023 10:27
@github-actions github-actions bot added onboarding Tasks to onboard teams testing labels Dec 5, 2023
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 5, 2023

TFSEC Scan Failed

Show Output 
*****************************

TFSEC will check the following folders:
terraform/environments/core-shared-services

*****************************

Running TFSEC in terraform/environments/core-shared-services
Excluding the following checks: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Result #1 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  instance-scheduler-lambda-function.tf:80-82
────────────────────────────────────────────────────────────────────────────────
   80    resource "aws_sns_topic" "on_failure" {
   81      name = "instance-scheduler-event-notification-topic-on-failure"
   82    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


Result #2 HIGH Topic does not have encryption enabled. 
────────────────────────────────────────────────────────────────────────────────
  instance-scheduler-lambda-function.tf:84-86
────────────────────────────────────────────────────────────────────────────────
   84    resource "aws_sns_topic" "on_success" {
   85      name = "instance-scheduler-event-notification-topic-on-success"
   86    }
────────────────────────────────────────────────────────────────────────────────
          ID aws-sns-enable-topic-encryption
      Impact The SNS topic messages could be read if compromised
  Resolution Turn on SNS Topic encryption

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/sns/enable-topic-encryption/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/sns_topic#example-with-server-side-encryption-sse
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             3.325353ms
  parsing              7.138312506s
  adaptation           8.869556ms
  checks               12.776889ms
  total                7.163284304s

  counts
  ──────────────────────────────────────────
  modules downloaded   6
  modules processed    44
  blocks processed     768
  files read           191

  results
  ──────────────────────────────────────────
  passed               135
  ignored              142
  critical             0
  high                 2
  medium               0
  low                  0

  135 passed, 142 ignored, 2 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/core-shared-services

*****************************

Running Checkov in terraform/environments/core-shared-services
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2023-12-05 10:30:07,492 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-lambda-function?ref=20e0d9e27402d1e012159a41b474da908d74941b:None (for external modules, the --download-external-modules flag is required)
2023-12-05 10:30:07,493 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0:None (for external modules, the --download-external-modules flag is required)
2023-12-05 10:30:07,493 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1:None (for external modules, the --download-external-modules flag is required)
2023-12-05 10:30:07,493 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2023-12-05 10:30:07,493 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 744, Failed checks: 3, Skipped checks: 62

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: pagerduty_core_alerts
	File: /instance-scheduler-lambda-function.tf:89-96
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		89 | module "pagerduty_core_alerts" {
		90 |   depends_on = [
		91 |     aws_sns_topic.on_failure, aws_sns_topic.on_success
		92 |   ]
		93 |   source                    = "github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=v2.0.0"
		94 |   sns_topics                = [aws_sns_topic.on_failure.name, aws_sns_topic.on_success.name]
		95 |   pagerduty_integration_key = local.pagerduty_integration_keys["operations_cloudwatch"]
		96 | }
Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.on_failure
	File: /instance-scheduler-lambda-function.tf:80-82
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		80 | resource "aws_sns_topic" "on_failure" {
		81 |   name = "instance-scheduler-event-notification-topic-on-failure"
		82 | }

Check: CKV_AWS_26: "Ensure all data stored in the SNS topic is encrypted"
	FAILED for resource: aws_sns_topic.on_success
	File: /instance-scheduler-lambda-function.tf:84-86
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/general-15

		84 | resource "aws_sns_topic" "on_success" {
		85 |   name = "instance-scheduler-event-notification-topic-on-success"
		86 | }


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/core-shared-services

*****************************

Running tflint in terraform/environments/core-shared-services
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

@markgov markgov closed this Dec 5, 2023
@markgov markgov reopened this Dec 5, 2023
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Dec 5, 2023

TFSEC Scan Success

Show Output 
*****************************

TFSEC will check the following folders:

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:

@markgov markgov merged commit 021e495 into main Dec 5, 2023
27 of 28 checks passed
@markgov markgov deleted the env/Integrated-Fraud-System-IFS-5540 branch December 5, 2023 10:46
@markgov markgov mentioned this pull request Dec 5, 2023
Closed
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ASTRobinson ASTRobinson ASTRobinson approved these changes

Assignees
No one assigned
Labels
onboarding Tasks to onboard teams
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@markgov @ASTRobinson