Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DPR2-709: Set maintenance window to Sun at 2am for CDC jobs #7606

Merged
merged 1 commit into from
Aug 27, 2024
Merged

DPR2-709: Set maintenance window to Sun at 2am for CDC jobs #7606

merged 1 commit into from
Aug 27, 2024

Conversation

koladeadewuyi-moj
Copy link
Contributor

@koladeadewuyi-moj koladeadewuyi-moj commented Aug 23, 2024
edited
Loading

This PR makes the maintenance window during which the glue job will be restarted configurable

@koladeadewuyi-moj koladeadewuyi-moj requested review from a team as code owners August 23, 2024 17:11
@github-actions github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Aug 23, 2024
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
terraform/environments/digital-prison-reporting/modules/glue_job

Running Trivy in terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
2024-08-23T17:13:55Z INFO [db] Need to update DB
2024-08-23T17:13:55Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-23T17:13:57Z INFO [vuln] Vulnerability scanning is enabled
2024-08-23T17:13:57Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-23T17:13:57Z INFO Need to update the built-in policies
2024-08-23T17:13:57Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-23T17:13:57Z INFO [secret] Secret scanning is enabled
2024-08-23T17:13:57Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T17:13:57Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T17:13:57Z INFO Number of language-specific files num=0
2024-08-23T17:13:57Z INFO Detected config files num=1
trivy_exitcode=0

Running Trivy in terraform/environments/digital-prison-reporting/modules/glue_job
2024-08-23T17:13:58Z INFO [vuln] Vulnerability scanning is enabled
2024-08-23T17:13:58Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-23T17:13:58Z INFO [secret] Secret scanning is enabled
2024-08-23T17:13:58Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T17:13:58Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T17:13:58Z INFO Number of language-specific files num=0
2024-08-23T17:13:58Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
terraform/environments/digital-prison-reporting/modules/glue_job

*****************************

Running Checkov in terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 50, Failed checks: 20, Skipped checks: 0

Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.create_reload_diff_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:155-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.create_reload_diff_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:155-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.create_reload_diff_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:155-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.create_reload_diff_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:155-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.glue_archive_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:119-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.glue_archive_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:119-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.glue_archive_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:119-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.glue_archive_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:119-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.glue_reporting_hub_batch_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:43-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.glue_reporting_hub_batch_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:43-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.glue_reporting_hub_batch_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:43-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.glue_reporting_hub_batch_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:43-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.glue_reporting_hub_cdc_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:2-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.glue_reporting_hub_cdc_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:2-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.glue_reporting_hub_cdc_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:2-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.glue_reporting_hub_cdc_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:2-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.unprocessed_raw_files_check_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:81-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.unprocessed_raw_files_check_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:81-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.unprocessed_raw_files_check_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:81-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.unprocessed_raw_files_check_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:81-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/digital-prison-reporting/modules/glue_job
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-23 17:14:04,047 [MainThread  ] [WARNI]  Error in evaluate_try of argument arn:aws:iam::var.account:policy/aws_iam_policy.additional-policy[0].name - invalid syntax (<string>, line 1)
terraform scan results:

Passed checks: 9, Failed checks: 4, Skipped checks: 0

Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_policy_document.extra-policy-document
	File: /main.tf:86-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.extra-policy-document
	File: /main.tf:86-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.extra-policy-document
	File: /main.tf:86-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.extra-policy-document
	File: /main.tf:86-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
terraform/environments/digital-prison-reporting/modules/glue_job

*****************************

Running tflint in terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf line 192:
 192: resource "aws_glue_trigger" "glue_file_archive_job_trigger" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `glue_unprocessed_raw_files_check_execution_class` variable has no type (terraform_typed_variables)

  on terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf line 349:
 349: variable "glue_unprocessed_raw_files_check_execution_class" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `glue_archive_execution_class` variable has no type (terraform_typed_variables)

  on terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf line 473:
 473: variable "glue_archive_execution_class" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/digital-prison-reporting/modules/glue_job
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/digital-prison-reporting/modules/glue_job/main.tf line 243:
 243: resource "aws_glue_security_configuration" "sec_cfg" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=4

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
terraform/environments/digital-prison-reporting/modules/glue_job

*****************************

Running Trivy in terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
2024-08-23T17:13:55Z	INFO	[db] Need to update DB
2024-08-23T17:13:55Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-23T17:13:57Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-23T17:13:57Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-23T17:13:57Z	INFO	Need to update the built-in policies
2024-08-23T17:13:57Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-23T17:13:57Z	INFO	[secret] Secret scanning is enabled
2024-08-23T17:13:57Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T17:13:57Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T17:13:57Z	INFO	Number of language-specific files	num=0
2024-08-23T17:13:57Z	INFO	Detected config files	num=1
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/digital-prison-reporting/modules/glue_job
2024-08-23T17:13:58Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-23T17:13:58Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-23T17:13:58Z	INFO	[secret] Secret scanning is enabled
2024-08-23T17:13:58Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T17:13:58Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T17:13:58Z	INFO	Number of language-specific files	num=0
2024-08-23T17:13:58Z	INFO	Detected config files	num=1
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
terraform/environments/digital-prison-reporting/modules/glue_job

Running Trivy in terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
2024-08-23T17:19:47Z INFO [db] Need to update DB
2024-08-23T17:19:47Z INFO [db] Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-23T17:19:49Z INFO [vuln] Vulnerability scanning is enabled
2024-08-23T17:19:49Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-23T17:19:49Z INFO Need to update the built-in policies
2024-08-23T17:19:49Z INFO Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-23T17:19:50Z INFO [secret] Secret scanning is enabled
2024-08-23T17:19:50Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T17:19:50Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T17:19:50Z INFO Number of language-specific files num=0
2024-08-23T17:19:50Z INFO Detected config files num=1
trivy_exitcode=0

Running Trivy in terraform/environments/digital-prison-reporting/modules/glue_job
2024-08-23T17:19:51Z INFO [vuln] Vulnerability scanning is enabled
2024-08-23T17:19:51Z INFO [misconfig] Misconfiguration scanning is enabled
2024-08-23T17:19:51Z INFO [secret] Secret scanning is enabled
2024-08-23T17:19:51Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T17:19:51Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T17:19:51Z INFO Number of language-specific files num=0
2024-08-23T17:19:51Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
terraform/environments/digital-prison-reporting/modules/glue_job

*****************************

Running Checkov in terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 50, Failed checks: 20, Skipped checks: 0

Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.create_reload_diff_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:155-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.create_reload_diff_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:155-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.create_reload_diff_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:155-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.create_reload_diff_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:155-190
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.glue_archive_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:119-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.glue_archive_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:119-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.glue_archive_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:119-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.glue_archive_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:119-152
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.glue_reporting_hub_batch_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:43-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.glue_reporting_hub_batch_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:43-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.glue_reporting_hub_batch_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:43-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.glue_reporting_hub_batch_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:43-78
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.glue_reporting_hub_cdc_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:2-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.glue_reporting_hub_cdc_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:2-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.glue_reporting_hub_cdc_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:2-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.glue_reporting_hub_cdc_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:2-39
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: module.unprocessed_raw_files_check_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:81-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: module.unprocessed_raw_files_check_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:81-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: module.unprocessed_raw_files_check_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:81-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: module.unprocessed_raw_files_check_job.aws_iam_policy_document.extra-policy-document
	File: /../../glue_job/main.tf:86-182
	Calling File: /glue.tf:81-115
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/digital-prison-reporting/modules/glue_job
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2024-08-23 17:19:59,033 [MainThread  ] [WARNI]  Error in evaluate_try of argument arn:aws:iam::var.account:policy/aws_iam_policy.additional-policy[0].name - invalid syntax (<string>, line 1)
terraform scan results:

Passed checks: 9, Failed checks: 4, Skipped checks: 0

Check: CKV_AWS_110: "Ensure IAM policies does not allow privilege escalation"
	FAILED for resource: aws_iam_policy_document.extra-policy-document
	File: /main.tf:86-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-does-not-allow-privilege-escalation

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy_document.extra-policy-document
	File: /main.tf:86-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-write-access-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_356: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy_document.extra-policy-document
	File: /main.tf:86-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-356

		Code lines for this resource are too many. Please use IDE of your choice to review the file.
Check: CKV_AWS_109: "Ensure IAM policies does not allow permissions management / resource exposure without constraints"
	FAILED for resource: aws_iam_policy_document.extra-policy-document
	File: /main.tf:86-182
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint

		Code lines for this resource are too many. Please use IDE of your choice to review the file.

checkov_exitcode=2

CTFLint Scan Failed

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
terraform/environments/digital-prison-reporting/modules/glue_job

*****************************

Running tflint in terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
Excluding the following checks: terraform_unused_declarations
4 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/glue.tf line 192:
 192: resource "aws_glue_trigger" "glue_file_archive_job_trigger" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

Warning: `glue_unprocessed_raw_files_check_execution_class` variable has no type (terraform_typed_variables)

  on terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf line 354:
 354: variable "glue_unprocessed_raw_files_check_execution_class" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

Warning: `glue_archive_execution_class` variable has no type (terraform_typed_variables)

  on terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs/variables.tf line 478:
 478: variable "glue_archive_execution_class" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_typed_variables.md

tflint_exitcode=2

*****************************

Running tflint in terraform/environments/digital-prison-reporting/modules/glue_job
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on  line 0:
   (source code not available)

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/environments/digital-prison-reporting/modules/glue_job/main.tf line 243:
 243: resource "aws_glue_security_configuration" "sec_cfg" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.5.0/docs/rules/terraform_required_providers.md

tflint_exitcode=4

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
terraform/environments/digital-prison-reporting/modules/glue_job

*****************************

Running Trivy in terraform/environments/digital-prison-reporting/modules/domains/ingestion-jobs
2024-08-23T17:19:47Z	INFO	[db] Need to update DB
2024-08-23T17:19:47Z	INFO	[db] Downloading DB...	repository="ghcr.io/aquasecurity/trivy-db:2"
2024-08-23T17:19:49Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-23T17:19:49Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-23T17:19:49Z	INFO	Need to update the built-in policies
2024-08-23T17:19:49Z	INFO	Downloading the built-in policies...
74.86 KiB / 74.86 KiB [-----------------------------------------------------------] 100.00% ? p/s 0s2024-08-23T17:19:50Z	INFO	[secret] Secret scanning is enabled
2024-08-23T17:19:50Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T17:19:50Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T17:19:50Z	INFO	Number of language-specific files	num=0
2024-08-23T17:19:50Z	INFO	Detected config files	num=1
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/digital-prison-reporting/modules/glue_job
2024-08-23T17:19:51Z	INFO	[vuln] Vulnerability scanning is enabled
2024-08-23T17:19:51Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-08-23T17:19:51Z	INFO	[secret] Secret scanning is enabled
2024-08-23T17:19:51Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-08-23T17:19:51Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.54/docs/scanner/secret#recommendation for faster secret detection
2024-08-23T17:19:51Z	INFO	Number of language-specific files	num=0
2024-08-23T17:19:51Z	INFO	Detected config files	num=1
trivy_exitcode=0

@koladeadewuyi-moj koladeadewuyi-moj merged commit cd839ea into main Aug 27, 2024
7 of 16 checks passed
@koladeadewuyi-moj koladeadewuyi-moj deleted the DPR2-709 branch August 27, 2024 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tom-ogle-moj tom-ogle-moj tom-ogle-moj approved these changes

Assignees
No one assigned
Labels
environments-repository Used to exclude PRs from this repo in our Slack PR update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@koladeadewuyi-moj @tom-ogle-moj