Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow specifying the task def outside this module #90

Closed
wants to merge 6 commits into from
Closed

Allow specifying the task def outside this module #90

wants to merge 6 commits into from

Conversation

georgepstaylor
Copy link
Member

No description provided.

@georgepstaylor georgepstaylor requested a review from a team as a code owner March 12, 2024 19:24
@georgepstaylor georgepstaylor changed the title Allow specifying the task def Allow specifying the task def outside this module Mar 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

TFSEC Scan Success

Show Output ```hcl

TFSEC will check the following folders:
.

Running TFSEC in .
Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available
for the time being, although our engineering
attention will be directed at Trivy going forward.

You can read more here:
aquasecurity/tfsec#1994

timings
──────────────────────────────────────────
disk i/o 1.490753ms
parsing 198.141597ms
adaptation 743.273µs
checks 15.690006ms
total 216.065629ms

counts
──────────────────────────────────────────
modules downloaded 0
modules processed 11
blocks processed 515
files read 58

results
──────────────────────────────────────────
passed 6
ignored 4
critical 0
high 0
medium 0
low 0

No problems detected!

tfsec_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 19:26:44,270 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 1, Skipped checks: 17

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_alb_service_task.aws_iam_policy_document.ecs_exec
	File: /cloudposse/ecs-alb-service-task/aws/main.tf:266-284
	Calling File: /service/main.tf:2-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		266 | data "aws_iam_policy_document" "ecs_exec" {
		267 |   count = local.create_exec_role ? 1 : 0
		268 | 
		269 |   statement {
		270 |     effect    = "Allow"
		271 |     resources = ["*"]
		272 | 
		273 |     actions = [
		274 |       "ssm:GetParameters",
		275 |       "ecr:GetAuthorizationToken",
		276 |       "ecr:BatchCheckLayerAvailability",
		277 |       "ecr:GetDownloadUrlForLayer",
		278 |       "ecr:BatchGetImage",
		279 |       "logs:CreateLogGroup",
		280 |       "logs:CreateLogStream",
		281 |       "logs:PutLogEvents"
		282 |     ]
		283 |   }
		284 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

Trivy Scan

Show Output 



      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
        





      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:

.




Running TFSEC in .

Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


timings

──────────────────────────────────────────

disk i/o             3.111531ms

parsing              211.7298ms

adaptation           805.875µs

checks               12.028159ms

total                227.675365ms


counts

──────────────────────────────────────────

modules downloaded   0

modules processed    11

blocks processed     515

files read           58


results

──────────────────────────────────────────

passed               6

ignored              4

critical             0

high                 0

medium               0

low                  0


No problems detected!


tfsec_exitcode=0


</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 19:33:28,562 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 1, Skipped checks: 17

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_alb_service_task.aws_iam_policy_document.ecs_exec
	File: /cloudposse/ecs-alb-service-task/aws/main.tf:266-284
	Calling File: /service/main.tf:2-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		266 | data "aws_iam_policy_document" "ecs_exec" {
		267 |   count = local.create_exec_role ? 1 : 0
		268 | 
		269 |   statement {
		270 |     effect    = "Allow"
		271 |     resources = ["*"]
		272 | 
		273 |     actions = [
		274 |       "ssm:GetParameters",
		275 |       "ecr:GetAuthorizationToken",
		276 |       "ecr:BatchCheckLayerAvailability",
		277 |       "ecr:GetDownloadUrlForLayer",
		278 |       "ecr:BatchGetImage",
		279 |       "logs:CreateLogGroup",
		280 |       "logs:CreateLogStream",
		281 |       "logs:PutLogEvents"
		282 |     ]
		283 |   }
		284 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
        





      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:

.




Running TFSEC in .

Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


timings

──────────────────────────────────────────

disk i/o             1.241723ms

parsing              207.191835ms

adaptation           700.917µs

checks               9.364018ms

total                218.498493ms


counts

──────────────────────────────────────────

modules downloaded   0

modules processed    11

blocks processed     515

files read           58


results

──────────────────────────────────────────

passed               6

ignored              4

critical             0

high                 0

medium               0

low                  0


No problems detected!


tfsec_exitcode=0


</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 19:38:43,366 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 92, Failed checks: 1, Skipped checks: 17

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_alb_service_task.aws_iam_policy_document.ecs_exec
	File: /cloudposse/ecs-alb-service-task/aws/main.tf:266-284
	Calling File: /service/main.tf:2-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		266 | data "aws_iam_policy_document" "ecs_exec" {
		267 |   count = local.create_exec_role ? 1 : 0
		268 | 
		269 |   statement {
		270 |     effect    = "Allow"
		271 |     resources = ["*"]
		272 | 
		273 |     actions = [
		274 |       "ssm:GetParameters",
		275 |       "ecr:GetAuthorizationToken",
		276 |       "ecr:BatchCheckLayerAvailability",
		277 |       "ecr:GetDownloadUrlForLayer",
		278 |       "ecr:BatchGetImage",
		279 |       "logs:CreateLogGroup",
		280 |       "logs:CreateLogStream",
		281 |       "logs:PutLogEvents"
		282 |     ]
		283 |   }
		284 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
        





      

  
      



  

  @github-actions

    
      GitHub Actions
    




  


    

      

  

    

        
    
    

  


      
          
  
      
            Copy link

  

      
    

  


  

      

  
    Contributor


      

  


  

    

  





      


        


  
    

      
          
TFSEC Scan Success


Show Output
```hcl



TFSEC will check the following folders:

.




Running TFSEC in .

Excluding the following checks: aws-cloudwatch-log-group-customer-key, aws-iam-no-policy-wildcards, aws-vpc-no-public-egress-sgr, aws-iam-block-kms-policy-wildcard, aws-vpc-add-description-to-security-group


======================================================

tfsec is joining the Trivy family


tfsec will continue to remain available

for the time being, although our engineering

attention will be directed at Trivy going forward.


You can read more here:

aquasecurity/tfsec#1994


timings

──────────────────────────────────────────

disk i/o             1.293528ms

parsing              202.583614ms

adaptation           690.277µs

checks               12.387118ms

total                216.954537ms


counts

──────────────────────────────────────────

modules downloaded   0

modules processed    11

blocks processed     515

files read           58


results

──────────────────────────────────────────

passed               6

ignored              4

critical             0

high                 0

medium               0

low                  0


No problems detected!


tfsec_exitcode=0


</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
2024-03-12 19:41:34,825 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-ecs-cluster//cluster:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 93, Failed checks: 1, Skipped checks: 17

Check: CKV_AWS_108: "Ensure IAM policies does not allow data exfiltration"
	FAILED for resource: module.ecs_alb_service_task.aws_iam_policy_document.ecs_exec
	File: /cloudposse/ecs-alb-service-task/aws/main.tf:266-284
	Calling File: /service/main.tf:2-58
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/ensure-iam-policies-do-not-allow-data-exfiltration

		266 | data "aws_iam_policy_document" "ecs_exec" {
		267 |   count = local.create_exec_role ? 1 : 0
		268 | 
		269 |   statement {
		270 |     effect    = "Allow"
		271 |     resources = ["*"]
		272 | 
		273 |     actions = [
		274 |       "ssm:GetParameters",
		275 |       "ecr:GetAuthorizationToken",
		276 |       "ecr:BatchCheckLayerAvailability",
		277 |       "ecr:GetDownloadUrlForLayer",
		278 |       "ecr:BatchGetImage",
		279 |       "logs:CreateLogGroup",
		280 |       "logs:CreateLogStream",
		281 |       "logs:PutLogEvents"
		282 |     ]
		283 |   }
		284 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1





CTFLint Scan Success


Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.5.0)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0




Trivy Scan


Show Output




      		
    

  





        


            

            

              
            

        

      


      

            
  

    
  
    
    

  

  



    












      

  
            

    











  
  

    

      

  




    


    

      

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



      

    

  




  
          




      

  

    
    

    
  

    Reviewers
  


    

    No reviews






    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

    None yet







      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    
      

        
    

    Development
  



          


Successfully merging this pull request may close these issues.



  


    
  




      

    

  
      

  

    

      1 participant
    

    

        
          @georgepstaylor