Open hannes-ucsc opened 3 months ago
We currently use a aws_inspector2_enabler resource to enable Inspector for EC2 and ECR but there is nothing in TF to change the re-scan duration. There is a feature request for it but that request is still open.
The API for updating the re-scan duration is https://docs.aws.amazon.com/inspector/v2/APIReference/API_UpdateConfiguration.html so we could piggy-back an invocation of that API as a provisioner script for a null resource that depends on (and is triggered by) the aws_inspector2_enabler
resource. IIRC, the aws_inspector2_enabler
was unreliable and its effect could only be observed after a delay, but we can at least try. Care must be taken for the provisioner script to be robust, idempotent and to reliably report failure so that the delay issue can be dealt with by retrying the deployment with Terraform.
The TF resource for basic vs enhanced setting and the scan filters appears to be
and we should add that, again depending on (and triggered by) the aws_inspector2_enabler
resource.
The aws_inspector2_enabler resource currently resides in the GitLab component so we need to move that first. There already is https://github.com/DataBiosphere/azul/issues/5760 for that.
@hannes-ucsc: "Once we have clarity about the cause of #6354, assignee to manually modify the rescan duration in tempdev
to be consistent with the other deployments. After that we can look into programmatically managing the resources as described above."
… by Terraform, and are inconsistent between accounts, for example
platform-temp-dev
platform-anvil-prod
Additionally, basic vs enhanced setting and the scan filters are not managed by TF either: