DSOS-2090: pass in additional ansible vars in user-data #3359

drobinson-moj · 2023-09-14T12:50:25Z

Pass in ec2_name, application and aws_environment as extra variables in the ansible user-data script. This corresponds to changes made to dynamic inventory in the config management repo.

Note I've aligned the oasys script with all the other applications because I'm lazy. But there shouldn't be any material difference now as the AMIs are in a good place and there's no need to install python/aws cli.

github-actions · 2023-09-14T12:53:25Z

`TFSEC Scan` Success

Show Output

*****************************

TFSEC will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running TFSEC in terraform/environments/corporate-staff-rostering
Excluding the following checks: AWS095

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             1.869986ms
  parsing              315.092593ms
  adaptation           152.806µs
  checks               8.887398ms
  total                326.002783ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    5
  blocks processed     264
  files read           69

  results
  ──────────────────────────────────────────
  passed               1
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

`Checkov Scan` Failed

Show Output

*****************************

Checkov will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running Checkov in terraform/environments/corporate-staff-rostering
terraform scan results:

Passed checks: 92, Failed checks: 4, Skipped checks: 15

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.aws_cloudwatch_log_group.route53
	File: /../../modules/baseline/route53.tf:156-167
	Calling File: /main.tf:33-134
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms.html

		156 | resource "aws_cloudwatch_log_group" "route53" {
		157 |   for_each = local.route53_zones_to_create
		158 | 
		159 |   provider = aws.us-east-1
		160 | 
		161 |   name              = "/route53/${each.key}"
		162 |   retention_in_days = 30
		163 | 
		164 |   tags = merge(local.tags, {
		165 |     Name = "aws/route53/${each.key}"
		166 |   })
		167 | }

Check: CKV_AWS_354: "Ensure RDS Performance Insights are encrypted using KMS CMKs"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_353: "Ensure that RDS instances have performance insights enabled"
	FAILED for resource: module.baseline.module.db_instance.aws_db_instance.this
	File: /../../modules/rds_instance/main.tf:5-58
	Calling File: /../../modules/baseline/rds_instance.tf:1-34

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
terraform/environments/corporate-staff-rostering

*****************************

Running tflint in terraform/environments/corporate-staff-rostering
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 23:
  23:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 27:
  27:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 52:
  52:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

Warning: Interpolation-only expressions are deprecated in Terraform v0.12.14 (terraform_deprecated_interpolation)

  on terraform/environments/corporate-staff-rostering/locals_security_groups.tf line 56:
  56:       "${module.ip_addresses.mp_cidr[module.environment.vpc_name]}",

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.2.1/docs/rules/terraform_deprecated_interpolation.md

tflint_exitcode=2

* add additional ansible global variables * fix * test * remove test * update ansible script

drobinson-moj added 5 commits September 14, 2023 11:34

add additional ansible global variables

7d6f8ea

fix

33ca42a

test

0ff7c1c

remove test

7de9dbb

update ansible script

a1689b2

drobinson-moj requested review from a team as code owners September 14, 2023 12:50

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Sep 14, 2023

drobinson-moj had a problem deploying to planetfm-test September 14, 2023 12:52 — with GitHub Actions Failure

drobinson-moj had a problem deploying to nomis-development September 14, 2023 12:52 — with GitHub Actions Failure

drobinson-moj had a problem deploying to hmpps-domain-services-development September 14, 2023 12:52 — with GitHub Actions Failure

drobinson-moj had a problem deploying to nomis-data-hub-test September 14, 2023 12:52 — with GitHub Actions Failure

drobinson-moj had a problem deploying to nomis-data-hub-development September 14, 2023 12:52 — with GitHub Actions Failure

drobinson-moj had a problem deploying to corporate-staff-rostering-development September 14, 2023 12:52 — with GitHub Actions Failure

drobinson-moj had a problem deploying to hmpps-domain-services-test September 14, 2023 12:52 — with GitHub Actions Failure

drobinson-moj had a problem deploying to planetfm-development September 14, 2023 12:52 — with GitHub Actions Failure

drobinson-moj had a problem deploying to oasys-development September 14, 2023 12:53 — with GitHub Actions Failure

drobinson-moj had a problem deploying to oasys-test September 14, 2023 12:53 — with GitHub Actions Failure

drobinson-moj had a problem deploying to hmpps-oem-development September 14, 2023 12:53 — with GitHub Actions Error

drobinson-moj had a problem deploying to nomis-combined-reporting-test September 14, 2023 12:53 — with GitHub Actions Failure

drobinson-moj had a problem deploying to nomis-test September 14, 2023 12:54 — with GitHub Actions Failure

drobinson-moj had a problem deploying to hmpps-oem-test September 14, 2023 12:55 — with GitHub Actions Error

wullub approved these changes Sep 14, 2023

View reviewed changes

drobinson-moj merged commit 2a208e5 into main Sep 14, 2023
70 of 85 checks passed

drobinson-moj deleted the DSOS-2090/add-extra-ansible-vars branch September 14, 2023 14:27

vladimir-kovalyov pushed a commit that referenced this pull request Sep 14, 2023

DSOS-2090: pass in additional ansible vars in user-data (#3359)

a34c382

* add additional ansible global variables * fix * test * remove test * update ansible script

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

DSOS-2090: pass in additional ansible vars in user-data #3359

DSOS-2090: pass in additional ansible vars in user-data #3359

drobinson-moj commented Sep 14, 2023

github-actions bot commented Sep 14, 2023

DSOS-2090: pass in additional ansible vars in user-data #3359

DSOS-2090: pass in additional ansible vars in user-data #3359

Conversation

drobinson-moj commented Sep 14, 2023

github-actions bot commented Sep 14, 2023

TFSEC Scan Success

Checkov Scan Failed

CTFLint Scan Failed

`TFSEC Scan` Success

`Checkov Scan` Failed

`CTFLint Scan` Failed