Skip to content

Commit

Permalink
DDLS-323 add trivy config scan to pipeline (#1765)
Browse files Browse the repository at this point in the history
  • Loading branch information
jamesrwarren authored Dec 16, 2024
1 parent 1aa6d1b commit 4b5752c
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 30 deletions.
28 changes: 28 additions & 0 deletions .github/workflows/_lint-terraform.yml
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,31 @@ jobs:
echo $TF_WORKSPACE
terraform validate
working-directory: terraform/${{ matrix.folder }}

- name: configure OIDC AWS credentials for Trivy DB Ecr
uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0
with:
role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-push
role-session-name: github-actions-ecr-trivy-db
role-duration-seconds: 900
aws-region: eu-west-1

- name: ecr login for trivy db
id: login_ecr
uses: aws-actions/amazon-ecr-login@bfbd05a2dcf76451041cbd4b9d11cff82489a1ee # pin@v1.5.1
with:
registries: 311462405659

- name: Trivy Terraform Config Scan
id: trivy_scan
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
with:
scan-type: "config"
target: terraform/${{ matrix.folder }}
severity: "MEDIUM,HIGH,CRITICAL"
format: "sarif"
output: "trivy-results.sarif"
env:
TRIVY_TIMEOUT: 15m
TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db
22 changes: 0 additions & 22 deletions terraform/account/region/elasticache.tf
Original file line number Diff line number Diff line change
Expand Up @@ -26,17 +26,6 @@ resource "aws_elasticache_replication_group" "cache_api" {
}, var.default_tags)
}

# TO_DEL
resource "aws_security_group" "cache_api_sg" {
name = "${var.account.name}-account-cache-api"
vpc_id = aws_vpc.main.id
tags = merge(var.default_tags, { Name = "${var.account.name}-account-cache--api" })

lifecycle {
create_before_destroy = true
}
}

resource "aws_security_group" "api_cache_sg" {
name = "${var.account.name}-shared-cache-api"
description = "API Cache"
Expand Down Expand Up @@ -75,17 +64,6 @@ resource "aws_elasticache_replication_group" "front_api" {
}, var.default_tags)
}

# TO_DEL
resource "aws_security_group" "cache_front_sg" {
name = "${var.account.name}-account-cache-frontend"
vpc_id = aws_vpc.main.id
tags = merge(var.default_tags, { Name = "${var.account.name}-account-cache-frontend" })

lifecycle {
create_before_destroy = true
}
}

resource "aws_security_group" "front_cache_sg" {
name = "${var.account.name}-shared-cache-front"
vpc_id = aws_vpc.main.id
Expand Down
8 changes: 0 additions & 8 deletions terraform/environment/region/elasticache_sg.tf
Original file line number Diff line number Diff line change
Expand Up @@ -5,10 +5,6 @@ data "aws_elasticache_replication_group" "front_cache_cluster" {
replication_group_id = "frontend-redis-${var.account.name}"
}

data "aws_security_group" "front_cache_sg" {
name = "${var.account.name}-account-cache-frontend"
}

data "aws_security_group" "cache_front_sg" {
name = "${var.account.name}-shared-cache-front"
}
Expand Down Expand Up @@ -39,10 +35,6 @@ data "aws_elasticache_replication_group" "api_cache_cluster" {
replication_group_id = "api-redis-${var.account.name}"
}

data "aws_security_group" "api_cache_sg" {
name = "${var.account.name}-account-cache-api"
}

data "aws_security_group" "cache_api_sg" {
name = "${var.account.name}-shared-cache-api"
}
Expand Down

0 comments on commit 4b5752c

Please sign in to comment.