ncr: TM-738: efs backup fix #8963

drobinson-moj · 2024-12-04T12:02:18Z

Disable EFS automatic backup, should go into everything vault instead
Opt into backup using same policy as DBs.

github-actions · 2024-12-04T12:05:05Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/nomis-combined-reporting
terraform/modules/efs

Running Trivy in terraform/environments/nomis-combined-reporting
2024-12-04T12:04:36Z INFO [vulndb] Need to update DB
2024-12-04T12:04:36Z INFO [vulndb] Downloading vulnerability DB...
2024-12-04T12:04:36Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-04T12:04:38Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-04T12:04:38Z INFO [vuln] Vulnerability scanning is enabled
2024-12-04T12:04:38Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-04T12:04:38Z INFO [misconfig] Need to update the built-in checks
2024-12-04T12:04:38Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-04T12:04:40Z INFO [secret] Secret scanning is enabled
2024-12-04T12:04:40Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-04T12:04:40Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-04T12:04:41Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-04T12:04:41Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2024-12-04T12:04:42Z INFO Number of language-specific files num=0
2024-12-04T12:04:42Z INFO Detected config files num=1
trivy_exitcode=0

Running Trivy in terraform/modules/efs
2024-12-04T12:04:42Z INFO [vuln] Vulnerability scanning is enabled
2024-12-04T12:04:42Z INFO [misconfig] Misconfiguration scanning is enabled
2024-12-04T12:04:42Z INFO [secret] Secret scanning is enabled
2024-12-04T12:04:42Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-04T12:04:42Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-04T12:04:43Z INFO [terraform scanner] Scanning root module file_path="."
2024-12-04T12:04:43Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="file_system, name"
2024-12-04T12:04:43Z INFO Number of language-specific files num=0
2024-12-04T12:04:43Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/nomis-combined-reporting
terraform/modules/efs

*****************************

Running Checkov in terraform/environments/nomis-combined-reporting
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 168, Failed checks: 8, Skipped checks: 18

Check: CKV_AWS_115: "Ensure that AWS Lambda function is configured for function-level concurrent execution limit"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-function-level-concurrent-execution-limit

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_173: "Check encryption settings for Lambda environmental variable"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-5

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_116: "Ensure that AWS Lambda function is configured for a Dead Letter Queue(DLQ)"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-for-a-dead-letter-queue-dlq

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_50: "X-Ray tracing is enabled for Lambda"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-serverless-policies/bc-aws-serverless-4

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_272: "Ensure AWS Lambda function is configured to validate code-signing"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/bc-aws-272

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_117: "Ensure that AWS Lambda function is configured inside a VPC"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_lambda_function.alarm_scheduler
	File: /../../modules/schedule_alarms_lambda/main.tf:8-27
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-aws-lambda-function-is-configured-inside-a-vpc-1

		8  | resource "aws_lambda_function" "alarm_scheduler" {
		9  |   filename         = "${path.module}/lambda/alarm_scheduler.zip"
		10 |   function_name    = var.lambda_function_name
		11 |   architectures    = ["arm64"]
		12 |   role             = aws_iam_role.lambda_exec.arn
		13 |   runtime          = "python3.12"
		14 |   handler          = "alarm_scheduler.lambda_handler"
		15 |   source_code_hash = data.archive_file.lambda_function_payload.output_base64sha256
		16 |   timeout          = 10
		17 | 
		18 |   environment {
		19 |     variables = {
		20 |       LOG_LEVEL       = var.lambda_log_level
		21 |       SPECIFIC_ALARMS = tostring(join(",", var.alarm_list))
		22 |       ALARM_PATTERNS  = tostring(join(",", var.alarm_patterns))
		23 |     }
		24 |   }
		25 | 
		26 |   tags = var.tags
		27 | }

Check: CKV_AWS_338: "Ensure CloudWatch log groups retains logs for at least 1 year"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-logging-policies/bc-aws-338

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }

Check: CKV_AWS_158: "Ensure that CloudWatch Log Group is encrypted by KMS"
	FAILED for resource: module.baseline.module.schedule_alarms_lambda[0].aws_cloudwatch_log_group.execution_logs
	File: /../../modules/schedule_alarms_lambda/main.tf:29-34
	Calling File: /../../modules/baseline/schedule_alarms_lambda.tf:1-20
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-cloudwatch-log-group-is-encrypted-by-kms

		29 | resource "aws_cloudwatch_log_group" "execution_logs" {
		30 |   name              = format("/aws/lambda/%s", var.lambda_function_name)
		31 |   retention_in_days = 7
		32 | 
		33 |   tags = var.tags
		34 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/modules/efs
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 15, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

`CTFLint Scan` Failed

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/nomis-combined-reporting
terraform/modules/efs

*****************************

Running tflint in terraform/environments/nomis-combined-reporting
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modules/efs
Excluding the following checks: terraform_unused_declarations
2 issue(s) found:

Warning: terraform "required_version" attribute is required (terraform_required_version)

  on terraform/modules/efs/main.tf line 1:

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_version.md

Warning: Missing version constraint for provider "aws" in `required_providers` (terraform_required_providers)

  on terraform/modules/efs/main.tf line 113:
 113: resource "aws_efs_mount_target" "this" {

Reference: https://github.com/terraform-linters/tflint-ruleset-terraform/blob/v0.9.1/docs/rules/terraform_required_providers.md

tflint_exitcode=2

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/nomis-combined-reporting
terraform/modules/efs

*****************************

Running Trivy in terraform/environments/nomis-combined-reporting
2024-12-04T12:04:36Z	INFO	[vulndb] Need to update DB
2024-12-04T12:04:36Z	INFO	[vulndb] Downloading vulnerability DB...
2024-12-04T12:04:36Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-04T12:04:38Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2024-12-04T12:04:38Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-04T12:04:38Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-04T12:04:38Z	INFO	[misconfig] Need to update the built-in checks
2024-12-04T12:04:38Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2024-12-04T12:04:40Z	INFO	[secret] Secret scanning is enabled
2024-12-04T12:04:40Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-04T12:04:40Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-04T12:04:41Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-04T12:04:41Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2024-12-04T12:04:42Z	INFO	Number of language-specific files	num=0
2024-12-04T12:04:42Z	INFO	Detected config files	num=1
trivy_exitcode=0

*****************************

Running Trivy in terraform/modules/efs
2024-12-04T12:04:42Z	INFO	[vuln] Vulnerability scanning is enabled
2024-12-04T12:04:42Z	INFO	[misconfig] Misconfiguration scanning is enabled
2024-12-04T12:04:42Z	INFO	[secret] Secret scanning is enabled
2024-12-04T12:04:42Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2024-12-04T12:04:42Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.58/docs/scanner/secret#recommendation for faster secret detection
2024-12-04T12:04:43Z	INFO	[terraform scanner] Scanning root module	file_path="."
2024-12-04T12:04:43Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="file_system, name"
2024-12-04T12:04:43Z	INFO	Number of language-specific files	num=0
2024-12-04T12:04:43Z	INFO	Detected config files	num=1
trivy_exitcode=0

drobinson-moj added 3 commits December 2, 2024 15:54

opt into daily and weekly backup

085d9d0

disable default backup

7ce2f0a

fix

a493133

drobinson-moj requested review from a team as code owners December 4, 2024 12:02

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Dec 4, 2024

robertsweetman approved these changes Dec 4, 2024

View reviewed changes

drobinson-moj merged commit 224377c into main Dec 4, 2024
25 of 26 checks passed

drobinson-moj deleted the ncr/TM-738/efs-backup-test branch December 4, 2024 13:13

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ncr: TM-738: efs backup fix #8963

ncr: TM-738: efs backup fix #8963

drobinson-moj commented Dec 4, 2024

github-actions bot commented Dec 4, 2024

ncr: TM-738: efs backup fix #8963

ncr: TM-738: efs backup fix #8963

Conversation

drobinson-moj commented Dec 4, 2024

github-actions bot commented Dec 4, 2024

Trivy Scan Success

CTFLint Scan Failed

Trivy Scan Success

`Trivy Scan` Success

`CTFLint Scan` Failed

`Trivy Scan` Success