✨ Add Role For GitHub Actions to Query CloudTrail #9379

connormaglynn · 2025-01-16T17:13:03Z

👀 Purpose

In relation to ♻️ Migrate Dormant User Process Infrastructure to Strategic Hosting Architecture operations-engineering#5127
To create a role that allows our Dormant Users Python script to query CloudTrail

♻️ What's changed

Added GitHub Actions OIDC Provider
Added Role for Dormant Users Python Script to assume to query CloudTrail

github-actions · 2025-01-16T17:15:33Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/operations-engineering

Running Trivy in terraform/environments/operations-engineering
2025-01-16T17:15:20Z INFO [vulndb] Need to update DB
2025-01-16T17:15:20Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:15:20Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:15:23Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:15:23Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:15:23Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:15:23Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:15:23Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:15:23Z INFO [secret] Secret scanning is enabled
2025-01-16T17:15:23Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:15:23Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:15:25Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:15:25Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:15:26Z INFO Number of language-specific files num=0
2025-01-16T17:15:26Z INFO Detected config files num=3
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/operations-engineering

*****************************

Running Checkov in terraform/environments/operations-engineering
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 17:15:28,904 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/operations-engineering-cloudtrail-lake-github-audit-log-terraform-module?ref=299e5774acd66d86909e8a77017ee420ff79028e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 48, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cloudtrail_query_policy
	File: /audit_log_streaming_github_cloudtrail.tf:44-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		44 | resource "aws_iam_policy" "cloudtrail_query_policy" {
		45 |   name        = "cloudtrail_query_policy"
		46 |   description = "Policy to query CloudTrail Data Lake"
		47 | 
		48 |   policy = jsonencode({
		49 |     "Version" : "2012-10-17",
		50 |     "Statement" : [
		51 |       {
		52 |         "Effect" : "Allow",
		53 |         "Action" : [
		54 |           "cloudtrail:LookupEvents",
		55 |           "cloudtrail:StartQuery",
		56 |           "cloudtrail:GetQueryResults"
		57 |         ],
		58 |         "Resource" : "*"
		59 |       }
		60 |     ]
		61 |   })
		62 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cloudtrail_query_policy
	File: /audit_log_streaming_github_cloudtrail.tf:44-62
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		44 | resource "aws_iam_policy" "cloudtrail_query_policy" {
		45 |   name        = "cloudtrail_query_policy"
		46 |   description = "Policy to query CloudTrail Data Lake"
		47 | 
		48 |   policy = jsonencode({
		49 |     "Version" : "2012-10-17",
		50 |     "Statement" : [
		51 |       {
		52 |         "Effect" : "Allow",
		53 |         "Action" : [
		54 |           "cloudtrail:LookupEvents",
		55 |           "cloudtrail:StartQuery",
		56 |           "cloudtrail:GetQueryResults"
		57 |         ],
		58 |         "Resource" : "*"
		59 |       }
		60 |     ]
		61 |   })
		62 | }


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/operations-engineering

*****************************

Running tflint in terraform/environments/operations-engineering
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/operations-engineering

*****************************

Running Trivy in terraform/environments/operations-engineering
2025-01-16T17:15:20Z	INFO	[vulndb] Need to update DB
2025-01-16T17:15:20Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-16T17:15:20Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:15:23Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:15:23Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-16T17:15:23Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-16T17:15:23Z	INFO	[misconfig] Need to update the built-in checks
2025-01-16T17:15:23Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:15:23Z	INFO	[secret] Secret scanning is enabled
2025-01-16T17:15:23Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:15:23Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:15:25Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-16T17:15:25Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-16T17:15:26Z	INFO	Number of language-specific files	num=0
2025-01-16T17:15:26Z	INFO	Detected config files	num=3
trivy_exitcode=0

github-actions · 2025-01-16T17:28:45Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/operations-engineering

Running Trivy in terraform/environments/operations-engineering
2025-01-16T17:28:36Z INFO [vulndb] Need to update DB
2025-01-16T17:28:36Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T17:28:36Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:28:39Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:28:39Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T17:28:39Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T17:28:39Z INFO [misconfig] Need to update the built-in checks
2025-01-16T17:28:39Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:28:39Z INFO [secret] Secret scanning is enabled
2025-01-16T17:28:39Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:28:39Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:28:40Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T17:28:40Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T17:28:41Z INFO Number of language-specific files num=0
2025-01-16T17:28:41Z INFO Detected config files num=3
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/operations-engineering

*****************************

Running Checkov in terraform/environments/operations-engineering
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 17:28:43,462 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/operations-engineering-cloudtrail-lake-github-audit-log-terraform-module?ref=299e5774acd66d86909e8a77017ee420ff79028e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 48, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cloudtrail_query_policy
	File: /audit_log_streaming_github_cloudtrail.tf:43-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		43 | resource "aws_iam_policy" "cloudtrail_query_policy" {
		44 |   name        = "cloudtrail_query_policy"
		45 |   description = "Policy to query CloudTrail Data Lake"
		46 | 
		47 |   policy = jsonencode({
		48 |     "Version" : "2012-10-17",
		49 |     "Statement" : [
		50 |       {
		51 |         "Effect" : "Allow",
		52 |         "Action" : [
		53 |           "cloudtrail:LookupEvents",
		54 |           "cloudtrail:StartQuery",
		55 |           "cloudtrail:GetQueryResults"
		56 |         ],
		57 |         "Resource" : "*"
		58 |       }
		59 |     ]
		60 |   })
		61 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cloudtrail_query_policy
	File: /audit_log_streaming_github_cloudtrail.tf:43-61
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		43 | resource "aws_iam_policy" "cloudtrail_query_policy" {
		44 |   name        = "cloudtrail_query_policy"
		45 |   description = "Policy to query CloudTrail Data Lake"
		46 | 
		47 |   policy = jsonencode({
		48 |     "Version" : "2012-10-17",
		49 |     "Statement" : [
		50 |       {
		51 |         "Effect" : "Allow",
		52 |         "Action" : [
		53 |           "cloudtrail:LookupEvents",
		54 |           "cloudtrail:StartQuery",
		55 |           "cloudtrail:GetQueryResults"
		56 |         ],
		57 |         "Resource" : "*"
		58 |       }
		59 |     ]
		60 |   })
		61 | }


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/operations-engineering

*****************************

Running tflint in terraform/environments/operations-engineering
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/operations-engineering

*****************************

Running Trivy in terraform/environments/operations-engineering
2025-01-16T17:28:36Z	INFO	[vulndb] Need to update DB
2025-01-16T17:28:36Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-16T17:28:36Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:28:39Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T17:28:39Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-16T17:28:39Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-16T17:28:39Z	INFO	[misconfig] Need to update the built-in checks
2025-01-16T17:28:39Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2025-01-16T17:28:39Z	INFO	[secret] Secret scanning is enabled
2025-01-16T17:28:39Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T17:28:39Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T17:28:40Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-16T17:28:40Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-16T17:28:41Z	INFO	Number of language-specific files	num=0
2025-01-16T17:28:41Z	INFO	Detected config files	num=3
trivy_exitcode=0

github-actions · 2025-01-16T18:20:53Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/operations-engineering

Running Trivy in terraform/environments/operations-engineering
2025-01-16T18:20:44Z INFO [vulndb] Need to update DB
2025-01-16T18:20:44Z INFO [vulndb] Downloading vulnerability DB...
2025-01-16T18:20:44Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T18:20:46Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T18:20:46Z INFO [vuln] Vulnerability scanning is enabled
2025-01-16T18:20:46Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-16T18:20:46Z INFO [misconfig] Need to update the built-in checks
2025-01-16T18:20:46Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-16T18:20:46Z INFO [secret] Secret scanning is enabled
2025-01-16T18:20:46Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T18:20:46Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T18:20:47Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-16T18:20:47Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-16T18:20:48Z INFO Number of language-specific files num=0
2025-01-16T18:20:48Z INFO Detected config files num=3
trivy_exitcode=0

</details> #### `Checkov Scan` Failed
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/operations-engineering

*****************************

Running Checkov in terraform/environments/operations-engineering
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-16 18:20:50,953 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/operations-engineering-cloudtrail-lake-github-audit-log-terraform-module?ref=299e5774acd66d86909e8a77017ee420ff79028e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 48, Failed checks: 2, Skipped checks: 0

Check: CKV_AWS_290: "Ensure IAM policies does not allow write access without constraints"
	FAILED for resource: aws_iam_policy.cloudtrail_query_policy
	File: /audit_log_streaming_github_cloudtrail.tf:39-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-290

		39 | resource "aws_iam_policy" "cloudtrail_query_policy" {
		40 |   name        = "cloudtrail_query_policy"
		41 |   description = "Policy to query CloudTrail Data Lake"
		42 | 
		43 |   policy = jsonencode({
		44 |     "Version" : "2012-10-17",
		45 |     "Statement" : [
		46 |       {
		47 |         "Effect" : "Allow",
		48 |         "Action" : [
		49 |           "cloudtrail:LookupEvents",
		50 |           "cloudtrail:StartQuery",
		51 |           "cloudtrail:GetQueryResults"
		52 |         ],
		53 |         "Resource" : "*"
		54 |       }
		55 |     ]
		56 |   })
		57 | }

Check: CKV_AWS_355: "Ensure no IAM policies documents allow "*" as a statement's resource for restrictable actions"
	FAILED for resource: aws_iam_policy.cloudtrail_query_policy
	File: /audit_log_streaming_github_cloudtrail.tf:39-57
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-iam-policies/bc-aws-355

		39 | resource "aws_iam_policy" "cloudtrail_query_policy" {
		40 |   name        = "cloudtrail_query_policy"
		41 |   description = "Policy to query CloudTrail Data Lake"
		42 | 
		43 |   policy = jsonencode({
		44 |     "Version" : "2012-10-17",
		45 |     "Statement" : [
		46 |       {
		47 |         "Effect" : "Allow",
		48 |         "Action" : [
		49 |           "cloudtrail:LookupEvents",
		50 |           "cloudtrail:StartQuery",
		51 |           "cloudtrail:GetQueryResults"
		52 |         ],
		53 |         "Resource" : "*"
		54 |       }
		55 |     ]
		56 |   })
		57 | }


checkov_exitcode=1

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/operations-engineering

*****************************

Running tflint in terraform/environments/operations-engineering
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/operations-engineering

*****************************

Running Trivy in terraform/environments/operations-engineering
2025-01-16T18:20:44Z	INFO	[vulndb] Need to update DB
2025-01-16T18:20:44Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-16T18:20:44Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T18:20:46Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-16T18:20:46Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-16T18:20:46Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-16T18:20:46Z	INFO	[misconfig] Need to update the built-in checks
2025-01-16T18:20:46Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-16T18:20:46Z	INFO	[secret] Secret scanning is enabled
2025-01-16T18:20:46Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-16T18:20:46Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-16T18:20:47Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-16T18:20:47Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-16T18:20:48Z	INFO	Number of language-specific files	num=0
2025-01-16T18:20:48Z	INFO	Detected config files	num=3
trivy_exitcode=0

github-actions · 2025-01-17T14:09:14Z

`Trivy Scan` Success

Show Output

```hcl

Trivy will check the following folders:
terraform/environments/operations-engineering

Running Trivy in terraform/environments/operations-engineering
2025-01-17T14:09:01Z INFO [vulndb] Need to update DB
2025-01-17T14:09:01Z INFO [vulndb] Downloading vulnerability DB...
2025-01-17T14:09:01Z INFO [vulndb] Downloading artifact... repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T14:09:04Z INFO [vulndb] Artifact successfully downloaded repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T14:09:04Z INFO [vuln] Vulnerability scanning is enabled
2025-01-17T14:09:04Z INFO [misconfig] Misconfiguration scanning is enabled
2025-01-17T14:09:04Z INFO [misconfig] Need to update the built-in checks
2025-01-17T14:09:04Z INFO [misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-17T14:09:04Z INFO [secret] Secret scanning is enabled
2025-01-17T14:09:04Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-17T14:09:04Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-17T14:09:06Z INFO [terraform scanner] Scanning root module file_path="."
2025-01-17T14:09:06Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking"
2025-01-17T14:09:07Z INFO Number of language-specific files num=0
2025-01-17T14:09:07Z INFO Detected config files num=3
trivy_exitcode=0

</details> #### `Checkov Scan` Success
<details><summary>Show Output</summary>

```hcl

*****************************

Checkov will check the following folders:
terraform/environments/operations-engineering

*****************************

Running Checkov in terraform/environments/operations-engineering
Excluding the following checks: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
2025-01-17 14:09:10,009 [MainThread  ] [WARNI]  Failed to download module github.com/ministryofjustice/operations-engineering-cloudtrail-lake-github-audit-log-terraform-module?ref=299e5774acd66d86909e8a77017ee420ff79028e:None (for external modules, the --download-external-modules flag is required)
terraform scan results:

Passed checks: 48, Failed checks: 0, Skipped checks: 2


checkov_exitcode=0

`CTFLint Scan` Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint will check the following folders:
terraform/environments/operations-engineering

*****************************

Running tflint in terraform/environments/operations-engineering
Excluding the following checks: terraform_unused_declarations
tflint_exitcode=0

`Trivy Scan` Success

Show Output

*****************************

Trivy will check the following folders:
terraform/environments/operations-engineering

*****************************

Running Trivy in terraform/environments/operations-engineering
2025-01-17T14:09:01Z	INFO	[vulndb] Need to update DB
2025-01-17T14:09:01Z	INFO	[vulndb] Downloading vulnerability DB...
2025-01-17T14:09:01Z	INFO	[vulndb] Downloading artifact...	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T14:09:04Z	INFO	[vulndb] Artifact successfully downloaded	repo="public.ecr.aws/aquasecurity/trivy-db:2"
2025-01-17T14:09:04Z	INFO	[vuln] Vulnerability scanning is enabled
2025-01-17T14:09:04Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-01-17T14:09:04Z	INFO	[misconfig] Need to update the built-in checks
2025-01-17T14:09:04Z	INFO	[misconfig] Downloading the built-in checks...
160.80 KiB / 160.80 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-01-17T14:09:04Z	INFO	[secret] Secret scanning is enabled
2025-01-17T14:09:04Z	INFO	[secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning
2025-01-17T14:09:04Z	INFO	[secret] Please see also https://aquasecurity.github.io/trivy/v0.57/docs/scanner/secret#recommendation for faster secret detection
2025-01-17T14:09:06Z	INFO	[terraform scanner] Scanning root module	file_path="."
2025-01-17T14:09:06Z	WARN	[terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly.	module="root" variables="networking"
2025-01-17T14:09:07Z	INFO	Number of language-specific files	num=0
2025-01-17T14:09:07Z	INFO	Detected config files	num=3
trivy_exitcode=0

andyrogers1973

👍

connormaglynn requested review from a team as code owners January 16, 2025 17:13

connormaglynn changed the title ~~✨ Add Role For GitHub Actions to QueryCloudTrail~~ ✨ Add Role For GitHub Actions to Query CloudTrail Jan 16, 2025

github-actions bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label Jan 16, 2025

✨ Add Role For GitHub Actions to QueryCloudTrail

d760410

connormaglynn force-pushed the add-role-for-github-actions branch from c5f13c0 to d760410 Compare January 16, 2025 17:26

connormaglynn had a problem deploying to operations-engineering-development January 16, 2025 17:27 — with GitHub Actions Failure

Reuse OIDC Provider

d16657d

connormaglynn temporarily deployed to operations-engineering-development January 16, 2025 18:19 — with GitHub Actions Inactive

🙈 Ignore Checkov Errors

96acc4c

connormaglynn deployed to operations-engineering-development January 17, 2025 14:08 — with GitHub Actions Active

andyrogers1973 approved these changes Jan 17, 2025

View reviewed changes

connormaglynn merged commit 78b3704 into main Jan 17, 2025
10 checks passed

connormaglynn deleted the add-role-for-github-actions branch January 17, 2025 14:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

✨ Add Role For GitHub Actions to Query CloudTrail #9379

✨ Add Role For GitHub Actions to Query CloudTrail #9379

connormaglynn commented Jan 16, 2025

github-actions bot commented Jan 16, 2025

github-actions bot commented Jan 16, 2025

github-actions bot commented Jan 16, 2025

github-actions bot commented Jan 17, 2025

andyrogers1973 left a comment

✨ Add Role For GitHub Actions to Query CloudTrail #9379

✨ Add Role For GitHub Actions to Query CloudTrail #9379

Conversation

connormaglynn commented Jan 16, 2025

👀 Purpose

♻️ What's changed

github-actions bot commented Jan 16, 2025

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jan 16, 2025

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jan 16, 2025

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

github-actions bot commented Jan 17, 2025

Trivy Scan Success

CTFLint Scan Success

Trivy Scan Success

andyrogers1973 left a comment

Choose a reason for hiding this comment

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success

`Trivy Scan` Success

`CTFLint Scan` Success

`Trivy Scan` Success