From 972185128f26ee8e0b97156d17178867ede25706 Mon Sep 17 00:00:00 2001 From: jamesrwarren Date: Wed, 11 Dec 2024 16:41:04 +0000 Subject: [PATCH] DDLS-323 add trivy config scan to pipeline --- .github/workflows/_lint-terraform.yml | 28 +++++++++++++++++++ terraform/account/region/elasticache.tf | 22 --------------- .../environment/region/elasticache_sg.tf | 8 ------ 3 files changed, 28 insertions(+), 30 deletions(-) diff --git a/.github/workflows/_lint-terraform.yml b/.github/workflows/_lint-terraform.yml index 867a774805..22a6fc0376 100644 --- a/.github/workflows/_lint-terraform.yml +++ b/.github/workflows/_lint-terraform.yml @@ -58,3 +58,31 @@ jobs: echo $TF_WORKSPACE terraform validate working-directory: terraform/${{ matrix.folder }} + + - name: configure OIDC AWS credentials for ECR push + uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0 + with: + role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-push + role-session-name: github-actions-ecr-push + role-duration-seconds: 900 + aws-region: eu-west-1 + + - name: ecr login + id: login_ecr + uses: aws-actions/amazon-ecr-login@bfbd05a2dcf76451041cbd4b9d11cff82489a1ee # pin@v1.5.1 + with: + registries: 311462405659 + + - name: Trivy Terraform Config Scan + id: trivy_scan + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 + with: + scan-type: "config" + target: terraform/${{ matrix.folder }} + severity: "MEDIUM,HIGH,CRITICAL" + format: "sarif" + output: "trivy-results.sarif" + env: + TRIVY_TIMEOUT: 15m + TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db + TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db diff --git a/terraform/account/region/elasticache.tf b/terraform/account/region/elasticache.tf index d6bb63c941..40981b3fb2 100644 --- a/terraform/account/region/elasticache.tf +++ b/terraform/account/region/elasticache.tf @@ -26,17 +26,6 @@ resource "aws_elasticache_replication_group" "cache_api" { }, var.default_tags) } -# TO_DEL -resource "aws_security_group" "cache_api_sg" { - name = "${var.account.name}-account-cache-api" - vpc_id = aws_vpc.main.id - tags = merge(var.default_tags, { Name = "${var.account.name}-account-cache--api" }) - - lifecycle { - create_before_destroy = true - } -} - resource "aws_security_group" "api_cache_sg" { name = "${var.account.name}-shared-cache-api" description = "API Cache" @@ -75,17 +64,6 @@ resource "aws_elasticache_replication_group" "front_api" { }, var.default_tags) } -# TO_DEL -resource "aws_security_group" "cache_front_sg" { - name = "${var.account.name}-account-cache-frontend" - vpc_id = aws_vpc.main.id - tags = merge(var.default_tags, { Name = "${var.account.name}-account-cache-frontend" }) - - lifecycle { - create_before_destroy = true - } -} - resource "aws_security_group" "front_cache_sg" { name = "${var.account.name}-shared-cache-front" vpc_id = aws_vpc.main.id diff --git a/terraform/environment/region/elasticache_sg.tf b/terraform/environment/region/elasticache_sg.tf index 60349d4082..2900aa00a7 100644 --- a/terraform/environment/region/elasticache_sg.tf +++ b/terraform/environment/region/elasticache_sg.tf @@ -5,10 +5,6 @@ data "aws_elasticache_replication_group" "front_cache_cluster" { replication_group_id = "frontend-redis-${var.account.name}" } -data "aws_security_group" "front_cache_sg" { - name = "${var.account.name}-account-cache-frontend" -} - data "aws_security_group" "cache_front_sg" { name = "${var.account.name}-shared-cache-front" } @@ -39,10 +35,6 @@ data "aws_elasticache_replication_group" "api_cache_cluster" { replication_group_id = "api-redis-${var.account.name}" } -data "aws_security_group" "api_cache_sg" { - name = "${var.account.name}-account-cache-api" -} - data "aws_security_group" "cache_api_sg" { name = "${var.account.name}-shared-cache-api" }