Resolved static code analysis issues found by tfsec by ronaldo-macapobre · Pull Request #10 · bcgov/jasper

ronaldo-macapobre · 2024-08-27T00:41:37Z

Pull Request for JIRA Ticket: JASPER-93

Issue ticket number and link

https://jag.gov.bc.ca/jira/browse/JASPER-93

Description

Changes are based from tfsec's recommendation to resolve static code analysis errors.
@amlanc1 and I agreed to commented out the test s3 related changes for the meantime to avoid tfsec to scan it. It will be retained for future reference.
There are still 5 critical errors that remains in tfsec which I think will be resolved once the Network Architecture has been finalized
1. Listener for application load balancer does not use HTTPS.
2. Security group rule allows ingress from public internet.
3. CRITICAL Security group rule allows ingress from public internet.
4. CRITICAL Security group rule allows egress to multiple public internet addresses.
5. CRITICAL Security group rule allows egress to multiple public internet addresses.

Type of change

Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

Trigger the Build and Deploy Infra workflows targeting feature branch.

Checklist:

My code follows the style guidelines of this project
I have performed a self-review of my code
I have commented my code, particularly in hard-to-understand areas
My changes generate no new warnings

- Comment out s3 test bucket related code

…tab.

- Rename deploy to build when build-infra wf is running

WadeBarnes

One recommendation.

.github/workflows/aws-template-terraform.yml

Co-authored-by: Wade Barnes <wade@neoterictech.ca>

- Pass node version as an argument rather than hardcoded.

sonarqubecloud · 2024-08-29T01:49:04Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

amlanc1

lgtm

Ronaldo Macapobre added 20 commits August 26, 2024 18:41

- Addressed tfscan errors

d210cc2

- Comment out s3 test bucket related code

Removed soft_fail param

09055fb

Changed to tfsec-sarif-action so that errors can be seen in Security …

c705292

…tab.

Changed codeql to v2

98aff67

Changing upload-sarif to v3

f5b41cc

Add github_token to pass in upload sarif file step

3cfc226

added sec events write permission

b2ac1cf

Add kms policy

1eed46f

Allow aws_kms_policy to Cloudwatch only

f0b07bf

Add kms policy for admins and cloudwatch

d706f02

Fixed ecs web td policy

7e24879

Fixed incorrect reference

4d35fde

Removed retention days

11ff771

Revert back retention days

7458d07

Adjust ecs policy to separate ecr:GetAuthorizationToken

51d08c8

Revert Resource=* first

270e9f1

Add ecr repo back

3c67986

Revert prevent deletion in ecr

74bbe4a

Add ecs web td log group arn back

6239189

ignore changes from encryption_config to prevent ECR to get deleted

2e5c36e

ronaldo-macapobre temporarily deployed to dev August 27, 2024 00:42 — with GitHub Actions Inactive

- Add check_changes step in deploy_infra

fe5e8a1

- Rename deploy to build when build-infra wf is running

ronaldo-macapobre temporarily deployed to dev August 27, 2024 00:50 — with GitHub Actions Inactive

ronaldo-macapobre requested review from WadeBarnes and amlanc1 August 27, 2024 01:05

ronaldo-macapobre self-assigned this Aug 27, 2024

ronaldo-macapobre changed the title ~~Feature infra enchancements~~ Resolved static code analysis issues found by tfsec Aug 27, 2024

WadeBarnes requested changes Aug 27, 2024

View reviewed changes

.github/workflows/aws-template-terraform.yml Outdated Show resolved Hide resolved

Replacing hash to tagged version as per recommendation

f6e0b6f

Co-authored-by: Wade Barnes <wade@neoterictech.ca>

ronaldo-macapobre temporarily deployed to dev August 27, 2024 15:29 — with GitHub Actions Inactive

Ronaldo Macapobre added 10 commits August 28, 2024 00:33

Revert changes to API

f4a1bc2

- Moved web Dockerfile to /docker/web.

2636f60

- Pass node version as an argument rather than hardcoded.

Renamed to app-vue so it can be tested on feature branch

2467d27

Moved --build-arg position to the front

803346e

Add major and minor node version.

a23746d

Revert code changes in devcontainer.json

9ab2718

Add ls to see all files

6409049

Changed source file location

8abb926

Run npm install as root user

9bc45d5

Rename back to publish-web.yml

70a3bca

ronaldo-macapobre temporarily deployed to dev August 28, 2024 00:34 — with GitHub Actions Inactive

Merge branch 'master' into feature-infraEnchancements

e9e6f71

ronaldo-macapobre temporarily deployed to dev August 28, 2024 00:40 — with GitHub Actions Inactive

Added api ecs related resources

dcfe229

ronaldo-macapobre temporarily deployed to dev August 28, 2024 21:32 — with GitHub Actions Inactive

ronaldo-macapobre temporarily deployed to dev August 28, 2024 21:35 — with GitHub Actions Inactive

ronaldo-macapobre temporarily deployed to dev August 28, 2024 21:37 — with GitHub Actions Inactive

Allow permissions inside td log groups

0c9c9c0

ronaldo-macapobre temporarily deployed to dev August 29, 2024 01:07 — with GitHub Actions Inactive

ronaldo-macapobre had a problem deploying to dev August 29, 2024 01:08 — with GitHub Actions Failure

Add retention days

8046499

ronaldo-macapobre temporarily deployed to dev August 29, 2024 01:11 — with GitHub Actions Inactive

ronaldo-macapobre temporarily deployed to dev August 29, 2024 01:13 — with GitHub Actions Inactive

Changed log group to api specific

f7663e0

ronaldo-macapobre temporarily deployed to dev August 29, 2024 01:47 — with GitHub Actions Inactive

ronaldo-macapobre temporarily deployed to dev August 29, 2024 02:07 — with GitHub Actions Inactive

amlanc1 approved these changes Aug 29, 2024

View reviewed changes

ronaldo-macapobre merged commit 7fbb9d4 into master Aug 29, 2024

ronaldo-macapobre deleted the feature-infraEnchancements branch October 11, 2024 15:14

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Resolved static code analysis issues found by tfsec#10

Resolved static code analysis issues found by tfsec#10
ronaldo-macapobre merged 75 commits intomasterfrom
feature-infraEnchancements

ronaldo-macapobre commented Aug 27, 2024 •

edited

Loading

Uh oh!

WadeBarnes left a comment

Uh oh!

Uh oh!

sonarqubecloud bot commented Aug 29, 2024

Uh oh!

amlanc1 left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

ronaldo-macapobre commented Aug 27, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Pull Request for JIRA Ticket: JASPER-93

Issue ticket number and link

Description

Type of change

How Has This Been Tested?

Checklist:

Uh oh!

WadeBarnes left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

sonarqubecloud bot commented Aug 29, 2024

Quality Gate passed

Uh oh!

amlanc1 left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

ronaldo-macapobre commented Aug 27, 2024 •

edited

Loading