Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update policy documents with permissions to remove lock files #9042

Closed
wants to merge 1 commit into from
Closed

Update policy documents with permissions to remove lock files #9042

wants to merge 1 commit into from

Conversation

dms1981
Copy link
Contributor

@dms1981 dms1981 commented Jan 22, 2025

A reference to the issue / Description of it

#8345

How does this PR fix the problem?

Adds missing permissions required for the github-actions role to remove .tflock files.

How has this been tested?

Tested through CI pipeline against sprinkler-development

Deployment Plan / Instructions

Deploy through CI

Checklist (check x in [ ] of list items)

  • I have performed a self-review of my own code
  • All checks have passed
  • I have made corresponding changes to the documentation
  • Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

{Please write here}

@dms1981 dms1981 requested a review from a team as a code owner January 22, 2025 22:54
@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap
terraform/environments/sprinkler

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2025-01-22T22:56:46Z INFO [vulndb] Need to update DB
2025-01-22T22:56:46Z INFO [vulndb] Downloading vulnerability DB...
2025-01-22T22:56:46Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-22T22:56:48Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-22T22:56:48Z INFO [vuln] Vulnerability scanning is enabled
2025-01-22T22:56:48Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-22T22:56:48Z INFO [misconfig] Need to update the built-in checks
2025-01-22T22:56:48Z INFO [misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-22T22:56:48Z INFO [secret] Secret scanning is enabled
2025-01-22T22:56:48Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-22T22:56:48Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-22T22:56:49Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-roles: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:51Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts[0].data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2025-01-22T22:56:52Z INFO Number of language-specific files num=0
2025-01-22T22:56:52Z INFO Detected config files num=3
trivy_exitcode=0

Running Trivy in terraform/environments/sprinkler
2025-01-22T22:56:52Z INFO [vuln] Vulnerability scanning is enabled
2025-01-22T22:56:52Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-22T22:56:52Z INFO [secret] Secret scanning is enabled
2025-01-22T22:56:52Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-22T22:56:52Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-22T22:56:53Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-22T22:56:53Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-22T22:56:53Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2025-01-22T22:56:53Z INFO Number of language-specific files num=0
2025-01-22T22:56:53Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap
terraform/environments/sprinkler

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-22 22:56:56,460 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2025-01-22 22:56:56,460 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2025-01-22 22:56:56,460 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2025-01-22 22:56:56,460 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2025-01-22 22:56:56,461 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=62b8a16c73d8e4422cd81923e46948e8f4b5cf48:None (for external modules, the --download-external-modules flag is required)
2025-01-22 22:56:56,461 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 171, Failed checks: 0, Skipped checks: 52


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/sprinkler
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-22 22:56:59,681 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=84a83751b5289f363a728eb181470b59fc5e2899:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 16, Failed checks: 0, Skipped checks: 2


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap
terraform/environments/sprinkler

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/sprinkler
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap
terraform/environments/sprinkler

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2025-01-22T22:56:46Z	INFO	[vulndb] Need to update DB
2025-01-22T22:56:46Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-22T22:56:46Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-22T22:56:48Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-22T22:56:48Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-22T22:56:48Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-22T22:56:48Z	INFO	[misconfig] Need to update the built-in checks
2025-01-22T22:56:48Z	INFO	[misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-22T22:56:48Z	INFO	[secret] Secret scanning is enabled
2025-01-22T22:56:48Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-22T22:56:48Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-22T22:56:49Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-roles: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:50Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-22T22:56:51Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts[0].data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2025-01-22T22:56:52Z	INFO	Number of language-specific files	num=0
2025-01-22T22:56:52Z	INFO	Detected config files	num=3
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/sprinkler
2025-01-22T22:56:52Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-22T22:56:52Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-22T22:56:52Z	INFO	[secret] Secret scanning is enabled
2025-01-22T22:56:52Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-22T22:56:52Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-22T22:56:53Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-22T22:56:53Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-22T22:56:53Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2025-01-22T22:56:53Z	INFO	Number of language-specific files	num=0
2025-01-22T22:56:53Z	INFO	Detected config files	num=1
trivy_exitcode=0

@dms1981
Copy link
Contributor Author

dms1981 commented Jan 22, 2025

Closing this one; I'm going to take a more targeted approach amending permissions only for sprinkler-development in a separate branch

@dms1981 dms1981 closed this Jan 22, 2025
@dms1981 dms1981 deleted the feature/8345-add-permissions-to-delete-lock-files branch January 22, 2025 23:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@dms1981