This Terraform module will install a Kubernetes namespace and Trivy operator in your cluster.
module "template" {
source = "github.com/ministryofjustice/cloud-platfrom-terraform-trivy-operator?ref=version"
}See the examples/ folder for more information.
| Name | Version |
|---|---|
| terraform | >= 1.2.5 |
| aws | >=4.0.0 |
| helm | >=2.6.0 |
| kubernetes | >=2.0.0 |
| Name | Version |
|---|---|
| helm | >=2.6.0 |
| kubernetes | >=2.0.0 |
| Name | Source | Version |
|---|---|---|
| iam_assumable_role_admin | terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc | 3.13.0 |
| Name | Type |
|---|---|
| helm_release.trivy-system | resource |
| kubernetes_namespace.trivy-system | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cluster_domain_name | The cluster domain used for iam_assumable_role_admin role name | any |
n/a | yes |
| cpu_limit | resources:limits CPU value | string |
"500m" |
no |
| cpu_limit_non_live | Non-live cluster value for resources:limits CPU value | string |
"500m" |
no |
| cpu_requests | resources:requests CPU value | string |
"100m" |
no |
| cpu_requests_non_live | Non-live cluster value for resources:requests CPU value | string |
"100m" |
no |
| dockerhub_password | DockerHub password - required to avoid hitting Dockerhub API limits in EKS clusters | string |
"" |
no |
| dockerhub_username | DockerHub username - required to avoid hitting Dockerhub API limits in EKS clusters | string |
"" |
no |
| eks_cluster_oidc_issuer_url | This is going to be used when we create the IAM OIDC role | string |
"" |
no |
| enable_config_audit | flag to enable configuration audit scanner | string |
"false" |
no |
| enable_infra_assess | flag to enable infra assessment scanner | string |
"false" |
no |
| enable_rbac_assess | flag to enable rbac assessment scanner | string |
"false" |
no |
| enable_secret_scan | flag to enable exposed secret scanner | string |
"false" |
no |
| enable_trivy_server | Enable built-in trivy server (clientServer mode). If true, do not set githubToken value | string |
"false" |
no |
| github_token | GitHub Personal Access Token | string |
"" |
no |
| job_concurrency_limit | Sets the maximum value for concurrent report jobs | number |
10 |
no |
| memory_limit | resources:limit memory value | string |
"1000M" |
no |
| memory_limit_non_live | Non-live cluster value for resources:limit memory value | string |
"500M" |
no |
| memory_requests | resources:requests memory value | string |
"500M" |
no |
| memory_requests_non_live | Non-live clustrer value for resources:requests memory value | string |
"100M" |
no |
| role_key_annotation | The annotation key to use for the role key | string |
"eks.amazonaws.com/role-arn" |
no |
| scan_job_timeout | The length of time to wait before giving up on a scan job | string |
"5m" |
no |
| scanner_report_ttl | flag to set how long a report should exist. When a old report is deleted a new one will be created by the controller. | string |
"24h" |
no |
| service_monitor_enabled | Enable ServiceMonitor for Prometheus Operator | bool |
true |
no |
| severity_list | A single string providing comma separated list of CVE Severity levels to be monitored. Possible values are UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL | string |
"UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" |
no |
| trivy_service_account | Name of the k8s Service Account. If not set, name is generated automatically. | string |
"" |
no |
| trivy_timeout | Duration to wait for scan completion | string |
"5m0s" |
no |
No outputs.