-
Notifications
You must be signed in to change notification settings - Fork 7
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: enable file scanning on Vault S3 bucket #611
Conversation
⚠ Terrform update availableTerraform: 1.7.4 (using 1.6.6)
Terragrunt: 0.55.10 (using 0.54.8) |
Staging: secrets✅ Terraform Init: Plan: 1 to add, 0 to change, 1 to destroy Show summary
Show planResource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
# aws_secretsmanager_secret_version.notify_callback_bearer_token must be replaced
-/+ resource "aws_secretsmanager_secret_version" "notify_callback_bearer_token" {
~ arn = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_callback_bearer_token-aXJPLs" -> (known after apply)
~ id = "arn:aws:secretsmanager:ca-central-1:687401027353:secret:notify_callback_bearer_token-aXJPLs|4A43D97C-2937-4E91-A924-ADF60955E459" -> (known after apply)
~ secret_string = (sensitive value) # forces replacement
~ version_id = "4A43D97C-2937-4E91-A924-ADF60955E459" -> (known after apply)
~ version_stages = [
- "AWSPREVIOUS",
] -> (known after apply)
# (1 unchanged attribute hidden)
}
Plan: 1 to add, 0 to change, 1 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.freshdesk_api_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.notify_api_key"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.notify_callback_bearer_token"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.recaptcha_secret"]
WARN - plan.json - main - Missing Common Tags: ["aws_secretsmanager_secret.token_secret"]
24 tests, 19 passed, 5 warnings, 0 failures, 0 exceptions
|
Staging: file_scanning✅ Terraform Init: Plan: 9 to add, 0 to change, 0 to destroy Show summary
Show planResource actions are indicated with the following symbols:
+ create
<= read (data resources)
Terraform will perform the following actions:
# module.vault_scan_object.data.aws_iam_policy_document.limit_tagging[0] will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "limit_tagging" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "s3:DeleteObjectTagging",
+ "s3:DeleteObjectVersionTagging",
+ "s3:PutObjectTagging",
+ "s3:PutObjectVersionTagging",
]
+ effect = "Deny"
+ resources = [
+ "arn:aws:s3:::forms-staging-vault-file-storage/*",
]
+ condition {
+ test = "StringNotLike"
+ values = [
+ (known after apply),
]
+ variable = "aws:PrincipalArn"
}
+ principals {
+ identifiers = [
+ "*",
]
+ type = "AWS"
}
}
+ statement {
+ actions = [
+ "s3:PutObjectTagging",
+ "s3:PutObjectVersionTagging",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:s3:::forms-staging-vault-file-storage/*",
]
+ principals {
+ identifiers = [
+ (known after apply),
]
+ type = "AWS"
}
}
}
# module.vault_scan_object.data.aws_iam_policy_document.s3_scan_object will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "s3_scan_object" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "sqs:SendMessage",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "S3sendToSQS"
+ condition {
+ test = "ArnEquals"
+ values = [
+ "arn:aws:s3:::forms-staging-vault-file-storage",
]
+ variable = "aws:SourceArn"
}
+ principals {
+ identifiers = [
+ "s3.amazonaws.com",
]
+ type = "Service"
}
}
+ statement {
+ actions = [
+ "sqs:DeleteMessage",
+ "sqs:GetQueueAttributes",
+ "sqs:ReceiveMessage",
]
+ effect = "Allow"
+ resources = [
+ (known after apply),
]
+ sid = "LambdaTriggerFromSQS"
+ principals {
+ identifiers = [
+ "arn:aws:iam::127893201980:role/s3-scan-object",
]
+ type = "AWS"
}
}
}
# module.vault_scan_object.data.aws_iam_policy_document.scan_files_download[0] will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "scan_files_download" {
+ id = (known after apply)
+ json = (known after apply)
+ statement {
+ actions = [
+ "s3:GetBucketLocation",
+ "s3:GetObject",
+ "s3:GetObjectTagging",
+ "s3:GetObjectVersion",
+ "s3:GetObjectVersionTagging",
+ "s3:ListBucket",
]
+ effect = "Allow"
+ resources = [
+ "arn:aws:s3:::forms-staging-vault-file-storage",
+ "arn:aws:s3:::forms-staging-vault-file-storage/*",
]
+ principals {
+ identifiers = [
+ (known after apply),
]
+ type = "AWS"
}
}
}
# module.vault_scan_object.data.aws_iam_policy_document.upload_bucket[0] will be read during apply
# (config refers to values not yet known)
<= data "aws_iam_policy_document" "upload_bucket" {
+ id = (known after apply)
+ json = (known after apply)
+ source_policy_documents = [
+ (known after apply),
+ (known after apply),
]
}
# module.vault_scan_object.aws_iam_policy.scan_files[0] will be created
+ resource "aws_iam_policy" "scan_files" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "ScanFilesGetObjects"
+ name_prefix = (known after apply)
+ path = "/"
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = [
+ "s3:PutObjectVersionTagging",
+ "s3:PutObjectTagging",
+ "s3:ListBucket",
+ "s3:GetObjectVersionTagging",
+ "s3:GetObjectVersion",
+ "s3:GetObjectTagging",
+ "s3:GetObject",
+ "s3:GetBucketLocation",
+ "s3:DeleteObjectVersionTagging",
+ "s3:DeleteObjectTagging",
]
+ Effect = "Allow"
+ Resource = [
+ "arn:aws:s3:::forms-staging-vault-file-storage/*",
+ "arn:aws:s3:::forms-staging-vault-file-storage",
]
},
]
+ Version = "2012-10-17"
}
)
+ policy_id = (known after apply)
+ tags = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
}
# module.vault_scan_object.aws_iam_role.scan_files[0] will be created
+ resource "aws_iam_role" "scan_files" {
+ arn = (known after apply)
+ assume_role_policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "sts:AssumeRole"
+ Effect = "Allow"
+ Principal = {
+ AWS = [
+ "arn:aws:iam::127893201980:role/scan-files-api",
+ "arn:aws:iam::127893201980:role/s3-scan-object",
]
}
},
]
+ Version = "2012-10-17"
}
)
+ create_date = (known after apply)
+ force_detach_policies = false
+ id = (known after apply)
+ managed_policy_arns = (known after apply)
+ max_session_duration = 3600
+ name = "ScanFilesGetObjects"
+ name_prefix = (known after apply)
+ path = "/"
+ tags = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ unique_id = (known after apply)
}
# module.vault_scan_object.aws_iam_role_policy_attachment.scan_files[0] will be created
+ resource "aws_iam_role_policy_attachment" "scan_files" {
+ id = (known after apply)
+ policy_arn = (known after apply)
+ role = "ScanFilesGetObjects"
}
# module.vault_scan_object.aws_kms_alias.s3_scan_object_queue will be created
+ resource "aws_kms_alias" "s3_scan_object_queue" {
+ arn = (known after apply)
+ id = (known after apply)
+ name = "alias/s3_scan_object_queue"
+ name_prefix = (known after apply)
+ target_key_arn = (known after apply)
+ target_key_id = (known after apply)
}
# module.vault_scan_object.aws_kms_key.s3_scan_object_queue will be created
+ resource "aws_kms_key" "s3_scan_object_queue" {
+ arn = (known after apply)
+ bypass_policy_lockout_safety_check = false
+ customer_master_key_spec = "SYMMETRIC_DEFAULT"
+ description = "S3 scan objects KMS key for SQS queue encryption"
+ enable_key_rotation = true
+ id = (known after apply)
+ is_enabled = true
+ key_id = (known after apply)
+ key_usage = "ENCRYPT_DECRYPT"
+ multi_region = (known after apply)
+ policy = jsonencode(
{
+ Statement = [
+ {
+ Action = "kms:*"
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::687401027353:root"
}
+ Resource = "*"
},
+ {
+ Action = [
+ "kms:GenerateDataKey*",
+ "kms:Decrypt",
]
+ Effect = "Allow"
+ Principal = {
+ AWS = "arn:aws:iam::127893201980:role/s3-scan-object"
+ Service = "s3.amazonaws.com"
}
+ Resource = "*"
},
]
+ Version = "2012-10-17"
}
)
+ tags = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
}
# module.vault_scan_object.aws_s3_bucket_notification.s3_scan_object[0] will be created
+ resource "aws_s3_bucket_notification" "s3_scan_object" {
+ bucket = "forms-staging-vault-file-storage"
+ eventbridge = false
+ id = (known after apply)
+ queue {
+ events = [
+ "s3:ObjectCreated:*",
]
+ id = "ScanObjectCreated"
+ queue_arn = (known after apply)
}
}
# module.vault_scan_object.aws_s3_bucket_policy.upload_bucket[0] will be created
+ resource "aws_s3_bucket_policy" "upload_bucket" {
+ bucket = "forms-staging-vault-file-storage"
+ id = (known after apply)
+ policy = (known after apply)
}
# module.vault_scan_object.aws_sqs_queue.s3_scan_object will be created
+ resource "aws_sqs_queue" "s3_scan_object" {
+ arn = (known after apply)
+ content_based_deduplication = false
+ deduplication_scope = (known after apply)
+ delay_seconds = 0
+ fifo_queue = false
+ fifo_throughput_limit = (known after apply)
+ id = (known after apply)
+ kms_data_key_reuse_period_seconds = (known after apply)
+ kms_master_key_id = (known after apply)
+ max_message_size = 262144
+ message_retention_seconds = 345600
+ name = "s3-scan-object"
+ name_prefix = (known after apply)
+ policy = (known after apply)
+ receive_wait_time_seconds = 0
+ redrive_allow_policy = (known after apply)
+ redrive_policy = (known after apply)
+ sqs_managed_sse_enabled = (known after apply)
+ tags = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ tags_all = {
+ "CostCentre" = "forms-platform-staging"
+ "Terraform" = "true"
}
+ url = (known after apply)
+ visibility_timeout_seconds = 300
}
# module.vault_scan_object.aws_sqs_queue_policy.s3_scan_object will be created
+ resource "aws_sqs_queue_policy" "s3_scan_object" {
+ id = (known after apply)
+ policy = (known after apply)
+ queue_url = (known after apply)
}
Plan: 9 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest results20 tests, 20 passed, 0 warnings, 0 failures, 0 exceptions
|
Staging: lambdas✅ Terraform Init: Plan: 0 to add, 1 to change, 0 to destroy Show summary
Show planResource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# aws_lambda_function.vault_integrity will be updated in-place
~ resource "aws_lambda_function" "vault_integrity" {
id = "Vault_Data_Integrity_Check"
~ last_modified = "2024-02-22T13:56:36.000+0000" -> (known after apply)
~ source_code_hash = "PD5RmSEVjAYMZc1lvfSSn6O3RadR+J09hCPKVbQS/+g=" -> "TowbMcppnki+0a5fq50Oral3CqleiwGw7U1igvFz0Ws="
tags = {}
# (24 unchanged attributes hidden)
# (3 unchanged blocks hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: plan.tfplan
To perform exactly these actions, run the following command to apply:
terraform apply "plan.tfplan"
Show Conftest resultsWARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.audit_logs_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.form_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.nagware_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.reliability_dlq_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_event_rule.response_archiver_lambda_trigger"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.archive_form_templates"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.audit_logs_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.dead_letter_queue_consumer"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.nagware"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.reliability"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.response_archiver"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.submission"]
WARN - plan.json - main - Missing Common Tags: ["aws_cloudwatch_log_group.vault_integrity"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_dynamodb"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_kms"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_logging"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_rds"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_s3"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_secrets"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sns"]
WARN - plan.json - main - Missing Common Tags: ["aws_iam_policy.lambda_sqs"]
WARN -... |
Summary | Résumé
linked to cds-snc/scan-files#872