diff --git a/.github/workflows/checkov-tf.yml b/.github/workflows/checkov-tf.yml index 6bdf63ede..031ee039f 100644 --- a/.github/workflows/checkov-tf.yml +++ b/.github/workflows/checkov-tf.yml @@ -4,6 +4,10 @@ on: pull_request: branches: - develop + +env: + CHECKOV_OUTPUT_CODE_LINE_LIMIT: 255 + jobs: build: diff --git a/infrastructure/new-relic/main.tf b/infrastructure/new-relic/main.tf index 30658431a..00e75e286 100644 --- a/infrastructure/new-relic/main.tf +++ b/infrastructure/new-relic/main.tf @@ -10,14 +10,18 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "=3.70.0" + version = "=4.55.0" } } - required_version = "1.0.0" + required_version = "1.5.0" +} + +locals { + myregion = "us-east-1" } provider "aws" { - region = "us-east-1" + region = local.myregion } data "aws_caller_identity" "current" {} @@ -57,7 +61,7 @@ resource "aws_iam_policy" "new_relic_budget_policy" { { "Effect": "Allow", "Action": ["budgets:ViewBudget"], - "Resource": "*" + "Resource": "arn:aws:${local.myregion}:*:*:*" } ] } diff --git a/infrastructure/terraform/modules/iam.tf b/infrastructure/terraform/modules/iam.tf index fff50ee12..01865af7d 100644 --- a/infrastructure/terraform/modules/iam.tf +++ b/infrastructure/terraform/modules/iam.tf @@ -342,7 +342,7 @@ resource "aws_iam_policy" "conversiontool_svc_policy" { "iam:GetRole", "iam:PassRole" ], - "Resource": "*" + "Resource": "arn:aws:ecs:${var.region}:*:*" }, { "Sid": "AllowS3", @@ -384,7 +384,7 @@ resource "aws_iam_policy" "conversiontool_svc_policy" { "Sid": "ECRauthorization", "Effect": "Allow", "Action": "ecr:GetAuthorizationToken", - "Resource": "*" + "Resource": "arn:aws:ecr:${var.region}:*:*" }, { "Sid": "ECRPermissions", diff --git a/infrastructure/terraform/modules/newrelic/provider.tf b/infrastructure/terraform/modules/newrelic/provider.tf index 240ab1535..3da769ee6 100644 --- a/infrastructure/terraform/modules/newrelic/provider.tf +++ b/infrastructure/terraform/modules/newrelic/provider.tf @@ -6,7 +6,7 @@ terraform { required_providers { newrelic = { source = "newrelic/newrelic" - version = "2.49.0" + version = "3.25.2" } } } diff --git a/infrastructure/terraform/modules/openid-connect/gha_openid.tf b/infrastructure/terraform/modules/openid-connect/gha_openid.tf index 7066c2a64..ae5606c2a 100644 --- a/infrastructure/terraform/modules/openid-connect/gha_openid.tf +++ b/infrastructure/terraform/modules/openid-connect/gha_openid.tf @@ -2,10 +2,10 @@ terraform { required_providers { aws = { source = "hashicorp/aws" - version = "=3.70.0" + version = "=4.55.0" } } - required_version = "1.0.0" + required_version = "1.5.0" } provider "aws" { @@ -70,58 +70,58 @@ resource "aws_iam_policy" "github_actions_conversiontool_policy" { "iam:GetRole", "iam:PassRole" ], - "Resource": "*" + "Resource": "arn:aws:ecs:${var.region}:*:*" }, - { - "Action": [ - "acm:ListCertificates", - "acm:ExportCertificate", - "acm:GetCertificate", - "acm:DescribeCertificate" - ], - "Effect": "Allow", - "Resource": ["arn:aws:acm:${var.region}:${data.aws_caller_identity.current.account_id}:certificate/*"], - "Sid": "ACMPermissions" - }, - { - "Sid": "ECRauthorization", - "Effect": "Allow", - "Action": "ecr:GetAuthorizationToken", - "Resource": "*" - }, + { + "Action": [ + "acm:ListCertificates", + "acm:ExportCertificate", + "acm:GetCertificate", + "acm:DescribeCertificate" + ], + "Effect": "Allow", + "Resource": ["arn:aws:acm:${var.region}:${data.aws_caller_identity.current.account_id}:certificate/*"], + "Sid": "ACMPermissions" + }, + { + "Sid": "ECRauthorization", + "Effect": "Allow", + "Action": "ecr:GetAuthorizationToken", + "Resource": "arn:aws:ecr:${var.region}:*:*" + }, { - "Sid": "ECRPermissions", - "Effect": "Allow", - "Action": [ - "ecr:GetDownloadUrlForLayer", - "ecr:BatchGetImage", - "ecr:CompleteLayerUpload", - "ecr:UploadLayerPart", - "ecr:InitiateLayerUpload", - "ecr:BatchCheckLayerAvailability", - "ecr:PutImage" - ], - "Resource":[ - "arn:aws:ecr:us-east-1:003384571330:repository/new-qpp-conversion-tool", - "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/dev", - "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/devpre", - "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/impl", - "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/prod" - ] - }, - { - "Action": [ - "ssm:GetParameters", - "ssm:PutParameter", - "ssm:GetParameterHistory", - "ssm:GetParametersByPath", - "ssm:GetParameter", - "ssm:DescribeParameters" - ], - "Effect": "Allow", - "Resource": ["arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/qppar-sf/*"], - "Sid": "SSMPermissions" - } + "Sid": "ECRPermissions", + "Effect": "Allow", + "Action": [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:CompleteLayerUpload", + "ecr:UploadLayerPart", + "ecr:InitiateLayerUpload", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage" + ], + "Resource":[ + "arn:aws:ecr:us-east-1:003384571330:repository/new-qpp-conversion-tool", + "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/dev", + "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/devpre", + "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/impl", + "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/prod" + ] + }, + { + "Action": [ + "ssm:GetParameters", + "ssm:PutParameter", + "ssm:GetParameterHistory", + "ssm:GetParametersByPath", + "ssm:GetParameter", + "ssm:DescribeParameters" + ], + "Effect": "Allow", + "Resource": ["arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/qppar-sf/*"], + "Sid": "SSMPermissions" + } ] }) } diff --git a/infrastructure/terraform/modules/s3.tf b/infrastructure/terraform/modules/s3.tf index d9ca72fcc..035fca216 100644 --- a/infrastructure/terraform/modules/s3.tf +++ b/infrastructure/terraform/modules/s3.tf @@ -156,15 +156,16 @@ resource "aws_s3_bucket_lifecycle_configuration" "log_bucket" { # } } -resource "aws_s3_bucket_ownership_controls" "log_bucket" { - bucket = aws_s3_bucket.log_bucket.id - rule { - object_ownership = "BucketOwnerPreferred" - } -} +# QPPSE-1461 +# resource "aws_s3_bucket_ownership_controls" "log_bucket" { +# bucket = aws_s3_bucket.log_bucket.id +# rule { +# object_ownership = "BucketOwnerPreferred" +# } +# } resource "aws_s3_bucket_acl" "log_bucket" { - depends_on = [aws_s3_bucket_ownership_controls.log_bucket] + # depends_on = [aws_s3_bucket_ownership_controls.log_bucket] bucket = aws_s3_bucket.log_bucket.id