Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Expand native locking permissions #9070

Merged
merged 2 commits into from
Jan 24, 2025
Merged

Expand native locking permissions #9070

merged 2 commits into from
Jan 24, 2025

Conversation

dms1981
Copy link
Contributor

@dms1981 dms1981 commented Jan 23, 2025

A reference to the issue / Description of it

#8345

How does this PR fix the problem?

Where roles permit access to the modernisation-platform-terraform-state S3 bucket, this PR expands them to allow them to put and delete .tflock files.

This PR also implements small linting fixes where appropriate.

How has this been tested?

Tested through CI pipeline

Deployment Plan / Instructions

Deploy through CI

Checklist (check x in [ ] of list items)

  • I have performed a self-review of my own code
  • All checks have passed
  • I have made corresponding changes to the documentation
  • Plan and discussed how it should be deployed to PROD (If needed)

Additional comments (if any)

{Please write here}

@dms1981 dms1981 requested a review from a team as a code owner January 23, 2025 21:45
@github-actions GitHub Actions
Copy link
Contributor

Terraform Plan Summary

single-sign-on
No changes. Your infrastructure matches the configuration.

@github-actions GitHub Actions
Copy link
Contributor

Terraform Plan Summary

modernisation-platform-account
Plan: 0 to add, 3 to change, 0 to destroy.

@github-actions GitHub Actions
Copy link
Contributor

Trivy Scan Success

Show Output ```hcl

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap
terraform/environments/sprinkler
terraform/github
terraform/modernisation-platform-account
terraform/single-sign-on

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2025-01-23T21:47:23Z INFO [vulndb] Need to update DB
2025-01-23T21:47:23Z INFO [vulndb] Downloading vulnerability DB...
2025-01-23T21:47:23Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-23T21:47:25Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-23T21:47:25Z INFO [vuln] Vulnerability scanning is enabled
2025-01-23T21:47:25Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:25Z INFO [misconfig] Need to update the built-in checks
2025-01-23T21:47:25Z INFO [misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-23T21:47:26Z INFO [secret] Secret scanning is enabled
2025-01-23T21:47:26Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:26Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:27Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-roles: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:29Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.pagerduty_core_alerts[0].data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2025-01-23T21:47:29Z INFO Number of language-specific files num=0
2025-01-23T21:47:29Z INFO Detected config files num=3
trivy_exitcode=0

Running Trivy in terraform/environments/sprinkler
2025-01-23T21:47:29Z INFO [vuln] Vulnerability scanning is enabled
2025-01-23T21:47:29Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:29Z INFO [secret] Secret scanning is enabled
2025-01-23T21:47:29Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:29Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:30Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-23T21:47:30Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-23T21:47:31Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2025-01-23T21:47:31Z INFO Number of language-specific files num=0
2025-01-23T21:47:31Z INFO Detected config files num=1
trivy_exitcode=0

Running Trivy in terraform/github
2025-01-23T21:47:31Z INFO [vuln] Vulnerability scanning is enabled
2025-01-23T21:47:31Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:31Z INFO [secret] Secret scanning is enabled
2025-01-23T21:47:31Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:31Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:32Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-23T21:47:32Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="github_token"
2025-01-23T21:47:32Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.contributor-access" value="cty.NilVal"
2025-01-23T21:47:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.modernisation-platform-environments.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.modernisation-platform-instance-scheduler.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.modernisation-platform-terraform-aws-chatbot.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.modernisation-platform-terraform-aws-data-firehose.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:33Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.modernisation-platform-terraform-dns-certificates.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.modernisation-platform-terraform-member-vpc.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.modernisation-platform-terraform-module-template.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:34Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.modernisation-platform-terraform-pagerduty-integration.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:34Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="testing-ci.tf:4-9"
2025-01-23T21:47:34Z INFO Number of language-specific files num=0
2025-01-23T21:47:34Z INFO Detected config files num=3
trivy_exitcode=0

Running Trivy in terraform/modernisation-platform-account
2025-01-23T21:47:34Z INFO [vuln] Vulnerability scanning is enabled
2025-01-23T21:47:34Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:34Z INFO [secret] Secret scanning is enabled
2025-01-23T21:47:34Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:34Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:35Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-account: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-assumable-roles: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-group-with-policies: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z ERROR [terraform evaluator] Failed to load module. Maybe try 'terraform init'? err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z INFO [terraform executor] Ignore finding rule="aws-iam-enforce-group-mfa" range="git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=e803e25ce20a6ebd5579e0896f657fa739f6f03e/modules/iam-group-with-policies/main.tf:5-10"
2025-01-23T21:47:40Z INFO Number of language-specific files num=0
2025-01-23T21:47:40Z INFO Detected config files num=7
trivy_exitcode=0

Running Trivy in terraform/single-sign-on
2025-01-23T21:47:40Z INFO [vuln] Vulnerability scanning is enabled
2025-01-23T21:47:40Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:40Z INFO [secret] Secret scanning is enabled
2025-01-23T21:47:40Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:40Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:41Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-23T21:47:41Z INFO Number of language-specific files num=0
2025-01-23T21:47:41Z INFO Detected config files num=1
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/bootstrap/member-bootstrap
terraform/environments/sprinkler
terraform/github
terraform/modernisation-platform-account
terraform/single-sign-on

*****************************

Running Checkov in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-23 21:47:44,168 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-cross-account-access?ref=6819b090bce6d3068d55c7c7b9b3fd18c9dca648:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:44,168 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=62b8a16c73d8e4422cd81923e46948e8f4b5cf48:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:44,168 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:44,169 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-role?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:44,169 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-pagerduty-integration?ref=0179859e6fafc567843cd55c0b05d325d5012dc4:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:44,169 [MainThread  ] [WARNI]  Failed to download module github.com/terraform-aws-modules/terraform-aws-iam//modules/iam-assumable-roles?ref=de95e21a3bc51cd3a44b3b95a4c2f61000649ebb:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 171, Failed checks: 0, Skipped checks: 52


checkov_exitcode=0

*****************************

Running Checkov in terraform/environments/sprinkler
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-23 21:47:47,141 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=84a83751b5289f363a728eb181470b59fc5e2899:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 16, Failed checks: 0, Skipped checks: 2


checkov_exitcode=0

*****************************

Running Checkov in terraform/github
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 99, Failed checks: 0, Skipped checks: 107


checkov_exitcode=0

*****************************

Running Checkov in terraform/modernisation-platform-account
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-23 21:47:53,361 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-iam-superadmins?ref=bea5d084de2f810eee5326562ad6d9d104a2aa05:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:53,361 [MainThread  ] [WARNI]  Failed to download module terraform-aws-modules/iam/aws//modules/iam-group-with-policies:~> 5.0 (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:53,361 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-role?ref=62b8a16c73d8e4422cd81923e46948e8f4b5cf48:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:53,361 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-github-oidc-provider?ref=82f546bd5f002674138a2ccdade7d7618c6758b3:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:53,361 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/terraform-aws-observability-platform-tenant?ref=fbbe5c8282786bcc0a00c969fe598e14f12eea9b:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:53,361 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=cadab519b10a7d28dfa3b77d407725db6b37614a:None (for external modules, the --download-external-modules flag is required)
2025-01-23 21:47:53,362 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 244, Failed checks: 0, Skipped checks: 30


checkov_exitcode=0

*****************************

Running Checkov in terraform/single-sign-on
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
terraform scan results:

Passed checks: 45, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

CTFLint Scan Success

Show Output 
*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/bootstrap/member-bootstrap
terraform/environments/sprinkler
terraform/github
terraform/modernisation-platform-account
terraform/single-sign-on

*****************************

Running tflint in terraform/environments/bootstrap/member-bootstrap
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/sprinkler
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/github
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/modernisation-platform-account
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

*****************************

Running tflint in terraform/single-sign-on
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

Trivy Scan Success

Show Output 
*****************************

Trivy will check the following folders:
terraform/environments/bootstrap/member-bootstrap
terraform/environments/sprinkler
terraform/github
terraform/modernisation-platform-account
terraform/single-sign-on

*****************************

Running Trivy in terraform/environments/bootstrap/member-bootstrap
2025-01-23T21:47:23Z	INFO	[vulndb] Need to update DB
2025-01-23T21:47:23Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-23T21:47:23Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-23T21:47:25Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-23T21:47:25Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-23T21:47:25Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:25Z	INFO	[misconfig] Need to update the built-in checks
2025-01-23T21:47:25Z	INFO	[misconfig] Downloading the built-in checks...
164.50 KiB / 164.50 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-23T21:47:26Z	INFO	[secret] Secret scanning is enabled
2025-01-23T21:47:26Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:26Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:27Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-roles: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:27Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-role: no such file or directory"
2025-01-23T21:47:29Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.pagerduty_core_alerts[0].data.aws_sns_topic.alarm_topics" value="cty.NilVal"
2025-01-23T21:47:29Z	INFO	Number of language-specific files	num=0
2025-01-23T21:47:29Z	INFO	Detected config files	num=3
trivy_exitcode=0

*****************************

Running Trivy in terraform/environments/sprinkler
2025-01-23T21:47:29Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-23T21:47:29Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:29Z	INFO	[secret] Secret scanning is enabled
2025-01-23T21:47:29Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:29Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:30Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-23T21:47:30Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-23T21:47:31Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal"
2025-01-23T21:47:31Z	INFO	Number of language-specific files	num=0
2025-01-23T21:47:31Z	INFO	Detected config files	num=1
trivy_exitcode=0

*****************************

Running Trivy in terraform/github
2025-01-23T21:47:31Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-23T21:47:31Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:31Z	INFO	[secret] Secret scanning is enabled
2025-01-23T21:47:31Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:31Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:32Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-23T21:47:32Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="github_token"
2025-01-23T21:47:32Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.contributor-access" value="cty.NilVal"
2025-01-23T21:47:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.modernisation-platform-environments.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.modernisation-platform-instance-scheduler.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.modernisation-platform-terraform-aws-chatbot.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.modernisation-platform-terraform-aws-data-firehose.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:33Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.modernisation-platform-terraform-dns-certificates.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.modernisation-platform-terraform-member-vpc.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.modernisation-platform-terraform-module-template.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:34Z	ERROR	[terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable.	block="module.modernisation-platform-terraform-pagerduty-integration.github_actions_secret.default" value="cty.NilVal"
2025-01-23T21:47:34Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="testing-ci.tf:4-9"
2025-01-23T21:47:34Z	INFO	Number of language-specific files	num=0
2025-01-23T21:47:34Z	INFO	Detected config files	num=3
trivy_exitcode=0

*****************************

Running Trivy in terraform/modernisation-platform-account
2025-01-23T21:47:34Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-23T21:47:34Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:34Z	INFO	[secret] Secret scanning is enabled
2025-01-23T21:47:34Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:34Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:35Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-account: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-assumable-roles: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-group-with-policies: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:38Z	ERROR	[terraform evaluator] Failed to load module. Maybe try 'terraform init'?	err="open modules/iam-user: no such file or directory"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-no-user-attached-policies" range="terraform-aws-modules/iam/aws/modules/iam-user/modules/iam-user/main.tf:1-10"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-s3-encryption-customer-key" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/github.com/ministryofjustice/modernisation-platform-terraform-s3-bucket?ref=8688bc15a08fbf5a4f4eef9b7433c5a417df8df1/main.tf:157-165"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-sns-topic-encryption-use-cmk" range="github.com/ministryofjustice/modernisation-platform-terraform-baselines?ref=dd8a60be4cc6d726803f49301930795d266188d8/modules/config/main.tf:40"
2025-01-23T21:47:40Z	INFO	[terraform executor] Ignore finding	rule="aws-iam-enforce-group-mfa" range="git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=e803e25ce20a6ebd5579e0896f657fa739f6f03e/modules/iam-group-with-policies/main.tf:5-10"
2025-01-23T21:47:40Z	INFO	Number of language-specific files	num=0
2025-01-23T21:47:40Z	INFO	Detected config files	num=7
trivy_exitcode=0

*****************************

Running Trivy in terraform/single-sign-on
2025-01-23T21:47:40Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-23T21:47:40Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-23T21:47:40Z	INFO	[secret] Secret scanning is enabled
2025-01-23T21:47:40Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-23T21:47:40Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-23T21:47:41Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-23T21:47:41Z	INFO	Number of language-specific files	num=0
2025-01-23T21:47:41Z	INFO	Detected config files	num=1
trivy_exitcode=0

@github-actions GitHub Actions
Copy link
Contributor

Terraform Plan Summary

github
Plan: 0 to add, 1 to change, 0 to destroy.

@dms1981 dms1981 deployed to development January 23, 2025 22:01 — with GitHub Actions Active
@dms1981 dms1981 enabled auto-merge January 24, 2025 09:52
@dms1981 dms1981 added this pull request to the merge queue Jan 24, 2025
Merged via the queue into main with commit b738a10 Jan 24, 2025
27 checks passed
@dms1981 dms1981 deleted the feature/8345-native-locking-permissions branch January 24, 2025 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ep-93 ep-93 ep-93 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dms1981 @ep-93