DDLS-323 add trivy config scan to pipeline

.github/workflows/_lint-terraform.yml

@@ -58,3 +58,31 @@ jobs:
           echo $TF_WORKSPACE
           terraform validate
         working-directory: terraform/${{ matrix.folder }}
+
+      - name: configure OIDC AWS credentials for Trivy DB Ecr
+        uses: aws-actions/configure-aws-credentials@97834a484a5ab3c40fa9e2eb40fcf8041105a573 # pin@v1.7.0
+        with:
+          role-to-assume: arn:aws:iam::311462405659:role/digideps-gh-actions-ecr-push
+          role-session-name: github-actions-ecr-trivy-db
+          role-duration-seconds: 900
+          aws-region: eu-west-1
+
+      - name: ecr login for trivy db
+        id: login_ecr
+        uses: aws-actions/amazon-ecr-login@bfbd05a2dcf76451041cbd4b9d11cff82489a1ee # pin@v1.5.1
+        with:
+          registries: 311462405659
+
+      - name: Trivy Terraform Config Scan
+        id: trivy_scan
+        uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0
+        with:
+          scan-type: "config"
+          target: terraform/${{ matrix.folder }}
+          severity: "MEDIUM,HIGH,CRITICAL"
+          format: "sarif"
+          output: "trivy-results.sarif"
+        env:
+          TRIVY_TIMEOUT: 15m
+          TRIVY_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-db
+          TRIVY_JAVA_DB_REPOSITORY: ${{ steps.login_ecr.outputs.registry }}/trivy-db-public-ecr/aquasecurity/trivy-java-db

terraform/account/region/elasticache.tf

@@ -26,17 +26,6 @@ resource "aws_elasticache_replication_group" "cache_api" {
   }, var.default_tags)
 }
 
-# TO_DEL
-resource "aws_security_group" "cache_api_sg" {
-  name   = "${var.account.name}-account-cache-api"
-  vpc_id = aws_vpc.main.id
-  tags   = merge(var.default_tags, { Name = "${var.account.name}-account-cache--api" })
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
 resource "aws_security_group" "api_cache_sg" {
   name        = "${var.account.name}-shared-cache-api"
   description = "API Cache"
@@ -75,17 +64,6 @@ resource "aws_elasticache_replication_group" "front_api" {
   }, var.default_tags)
 }
 
-# TO_DEL
-resource "aws_security_group" "cache_front_sg" {
-  name   = "${var.account.name}-account-cache-frontend"
-  vpc_id = aws_vpc.main.id
-  tags   = merge(var.default_tags, { Name = "${var.account.name}-account-cache-frontend" })
-
-  lifecycle {
-    create_before_destroy = true
-  }
-}
-
 resource "aws_security_group" "front_cache_sg" {
   name        = "${var.account.name}-shared-cache-front"
   vpc_id      = aws_vpc.main.id

terraform/environment/region/elasticache_sg.tf

@@ -5,10 +5,6 @@ data "aws_elasticache_replication_group" "front_cache_cluster" {
   replication_group_id = "frontend-redis-${var.account.name}"
 }
 
-data "aws_security_group" "front_cache_sg" {
-  name = "${var.account.name}-account-cache-frontend"
-}
-
 data "aws_security_group" "cache_front_sg" {
   name = "${var.account.name}-shared-cache-front"
 }
@@ -39,10 +35,6 @@ data "aws_elasticache_replication_group" "api_cache_cluster" {
   replication_group_id = "api-redis-${var.account.name}"
 }
 
-data "aws_security_group" "api_cache_sg" {
-  name = "${var.account.name}-account-cache-api"
-}
-
 data "aws_security_group" "cache_api_sg" {
   name = "${var.account.name}-shared-cache-api"
 }