Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump s3-bucket::modernisation-platform-terraform-s3-bucket from 7.1.0 to 8.0.1 in /terraform/environments/apex #6928

Closed
wants to merge 1 commit into from
Closed

Bump s3-bucket::modernisation-platform-terraform-s3-bucket from 7.1.0 to 8.0.1 in /terraform/environments/apex #6928

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jul 8, 2024

Bumps s3-bucket::modernisation-platform-terraform-s3-bucket from 7.1.0 to 8.0.1.

Release notes

Sourced from s3-bucket::modernisation-platform-terraform-s3-bucket's releases.

v8.0.1

What's Changed

New Contributors

Full Changelog: ministryofjustice/modernisation-platform-terraform-s3-bucket@v.8.0.0...v8.0.1

v8.0.0

Breaking Changes

Module for creating IAM role for replication has been integrated into this S3-bucket module so includes functionality for an IAM role to enable the replication of objects between S3 buckets in different regions.

The breaking changes only apply to pre existing replication buckets, used by this module here. If you currently do not use the replication module, you will not be affected.

  • 'versioning_enabled' is not optional and must be set to true for both source and destination bucket.
  • 'ownership_controls' variable must be set to 'BucketOwnerEnforced' for full control of all objects in the bucket and to disable ACLs.
  • The KMS key used for encryption must be in the same region as the destination bucket.

If any more information is required, feel free to reach out to Khatra Farah or Edd Proctor.

What's Changed

... (truncated)

Commits
  • 7b2b75c Merge pull request #473 from ministryofjustice/DSOS-2885/fix-dso-static-analy...
  • 2771fe4 add Static analysis scan exception for module
  • cb05228 Merge pull request #472 from ministryofjustice/dependabot/github_actions/brid...
  • bd66ceb Bump bridgecrewio/checkov-action from 12.2805.0 to 12.2809.0
  • d63c88d Merge pull request #471 from ministryofjustice/dependabot/github_actions/brid...
  • 6eae979 Bump bridgecrewio/checkov-action from 12.2802.0 to 12.2805.0
  • 2779c7a Merge pull request #469 from ministryofjustice/dependabot/github_actions/brid...
  • c604d72 Bump bridgecrewio/checkov-action from 12.2799.0 to 12.2802.0
  • 3728fff Merge pull request #470 from ministryofjustice/fix/go-terratest
  • 2d0f776 Update go-terratest.yml
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump s3-bucket::modernisation-platform-terraform-s3-bucket
b40d247 
Bumps [s3-bucket::modernisation-platform-terraform-s3-bucket](https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket) from 7.1.0 to 8.0.1.
- [Release notes](https://github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket/releases)
- [Commits](ministryofjustice/modernisation-platform-terraform-s3-bucket@v7.1.0...v8.0.1)

---
updated-dependencies:
- dependency-name: s3-bucket::github::ministryofjustice/modernisation-platform-terraform-s3-bucket::v7.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested review from a team as code owners July 8, 2024 00:08
@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Jul 8, 2024
@dependabot dependabot bot requested a review from a team as a code owner July 8, 2024 00:08
@dependabot dependabot bot added the terraform Pull requests that update Terraform code label Jul 8, 2024
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jul 8, 2024
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 8, 2024

Trivy Scan Failed

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/apex/modules/alb

Running Trivy in terraform/environments/apex/modules/alb
2024-07-08T00:10:14Z INFO Need to update DB
2024-07-08T00:10:14Z INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-08T00:10:16Z INFO Vulnerability scanning is enabled
2024-07-08T00:10:16Z INFO Misconfiguration scanning is enabled
2024-07-08T00:10:16Z INFO Need to update the built-in policies
2024-07-08T00:10:16Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-08T00:10:17Z INFO Secret scanning is enabled
2024-07-08T00:10:17Z INFO If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-08T00:10:17Z INFO Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-08T00:10:17Z INFO Number of language-specific files num=0
2024-07-08T00:10:17Z INFO Detected config files num=3

main.tf (terraform)

Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
main.tf:289
via main.tf:284-291 (content)
via main.tf:282-292 (dynamic.egress["lb_egress"])
via main.tf:264-293 (aws_security_group.lb)
────────────────────────────────────────
264 resource "aws_security_group" "lb" {
...
289 [ cidr_blocks = lookup(egress.value, "cidr_blocks", null)
...
293 }
────────────────────────────────────────

trivy_exitcode=1

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/apex/modules/alb

*****************************

Running Checkov in terraform/environments/apex/modules/alb
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-07-08 00:10:20,287 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=v8.0.1:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 25, Failed checks: 4, Skipped checks: 3

Check: CKV_AWS_149: "Ensure that Secrets Manager secret is encrypted using KMS CMK"
	FAILED for resource: aws_secretsmanager_secret.cloudfront
	File: /main.tf:303-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-secrets-manager-secret-is-encrypted-using-kms

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }

Check: CKV_AWS_233: "Ensure Create before destroy for ACM certificates"
	FAILED for resource: aws_acm_certificate.external_lb
	File: /main.tf:658-668
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/ensure-aws-acm-certificate-enables-create-before-destroy

		658 | resource "aws_acm_certificate" "external_lb" {
		659 | 
		660 |   domain_name               = var.acm_cert_domain_name
		661 |   validation_method         = "DNS"
		662 |   subject_alternative_names = var.environment == "production" ? null : ["${var.application_name}.${var.business_unit}-${var.environment}.${var.acm_cert_domain_name}"]
		663 |   tags                      = var.tags
		664 |   # TODO Set prevent_destroy to true to stop Terraform destroying this resource in the future if required
		665 |   lifecycle {
		666 |     prevent_destroy = false
		667 |   }
		668 | }

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: s3-bucket[0]
	File: /main.tf:124-179
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV2_AWS_57: "Ensure Secrets Manager secrets should have automatic rotation enabled"
	FAILED for resource: aws_secretsmanager_secret.cloudfront
	File: /main.tf:303-306
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-2-57

		303 | resource "aws_secretsmanager_secret" "cloudfront" {
		304 |   name        = "cloudfront-v1-secret-${var.application_name}"
		305 |   description = "Simple secret created by AWS CloudFormation to be shared between ALB and CloudFront"
		306 | }


checkov_exitcode=1

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/apex/modules/alb

*****************************

Running tflint in terraform/environments/apex/modules/alb
Excluding the following checks: terraform_unused_declarations
3 issue(s) found:

Warning: Missing version constraint for provider "random" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/modules/alb/main.tf line 298:
 298: resource "random_password" "cloudfront" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: Missing version constraint for provider "null" in `required_providers` (terraform_required_providers)

  on terraform/environments/apex/modules/alb/main.tf line 532:
 532: resource "null_resource" "always_run" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `environment` variable has no type (terraform_typed_variables)

  on terraform/environments/apex/modules/alb/variables.tf line 123:
 123: variable "environment" {}

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

Trivy Scan Failed

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/apex/modules/alb

*****************************

Running Trivy in terraform/environments/apex/modules/alb
2024-07-08T00:10:14Z	INFO	Need to update DB
2024-07-08T00:10:14Z	INFO	Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-07-08T00:10:16Z	INFO	Vulnerability scanning is enabled
2024-07-08T00:10:16Z	INFO	Misconfiguration scanning is enabled
2024-07-08T00:10:16Z	INFO	Need to update the built-in policies
2024-07-08T00:10:16Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-07-08T00:10:17Z	INFO	Secret scanning is enabled
2024-07-08T00:10:17Z	INFO	If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-07-08T00:10:17Z	INFO	Please see also https://aquasecurity.github.io/trivy/v0.53/docs/scanner/secret#recommendation for faster secret detection
2024-07-08T00:10:17Z	INFO	Number of language-specific files	num=0
2024-07-08T00:10:17Z	INFO	Detected config files	num=3

main.tf (terraform)
===================
Tests: 8 (SUCCESSES: 6, FAILURES: 1, EXCEPTIONS: 1)
Failures: 1 (HIGH: 0, CRITICAL: 1)

CRITICAL: Security group rule allows egress to multiple public internet addresses.
════════════════════════════════════════
Opening up ports to connect out to the public internet is generally to be avoided. You should restrict access to IP addresses or ranges that are explicitly required where possible.

See https://avd.aquasec.com/misconfig/avd-aws-0104
────────────────────────────────────────
 main.tf:289
   via main.tf:284-291 (content)
    via main.tf:282-292 (dynamic.egress["lb_egress"])
     via main.tf:264-293 (aws_security_group.lb)
────────────────────────────────────────
 264   resource "aws_security_group" "lb" {
 ...   
 289 [       cidr_blocks     = lookup(egress.value, "cidr_blocks", null)
 ...   
 293   }
────────────────────────────────────────


trivy_exitcode=1

@dependabot Dependabot
Copy link
Contributor Author

dependabot bot commented on behalf of github Aug 16, 2024

Superseded by #7475.

@dependabot dependabot bot closed this Aug 16, 2024
@dependabot dependabot bot deleted the dependabot/terraform/terraform/environments/apex/s3-bucket--github--ministryofjustice/modernisation-platform-terraform-s3-bucket--v7.1.0-8.0.1 branch August 16, 2024 00:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file environments-repository Used to exclude PRs from this repo in our Slack PR update terraform Pull requests that update Terraform code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants