search

ministryofjustice / modernisation-platform

A place for the core work of the Modernisation Platform • This repository is defined and managed in Terraform
https://user-guide.modernisation-platform.service.justice.gov.uk
MIT License
683 stars 291 forks source link

Bug - Modernisation Platform - Terraform Static Analysis Scheduled Nightly Job failing. #8244

Open mikereiddigital opened 3 hours ago

mikereiddigital commented 3 hours ago

Expected Behavior

The nightly scheduled Terraform Static Analysis job should run successfully and present any rule failures.

Actual Behavior

This job is now failing with a number of issues:

1 Instance of it not downloading the database:

2024-10-11T07:14:58.7045218Z Running Trivy in terraform/environments ... 2024-10-11T07:14:58.7052764Z 2024-10-11T07:05:17Z ERROR [vulndb] Failed to download artifact repo="ghcr.io/aquasecurity/trivy-db:2" err="oci download error: failed to fetch the layer: GET https://ghcr.io/v2/aquasecurity/trivy-db/blobs/sha256:d5984d994db8053be4c3cb88a0358784726280ff174ad24bb84b92138b8f4acb: TOOMANYREQUESTS: retry-after: 31.143µs, allowed: 44000/minute" 2024-10-11T07:14:58.7057231Z 2024-10-11T07:05:17Z FATAL Fatal error init error: DB error: failed to download vulnerability DB: OCI artifact error: failed to download vulnerability DB: failed to download artifact from any source 2024-10-11T07:14:58.7059255Z trivy_exitcode=1 ~83 instances of trivy not liking some for_each blocks: 2024-10-11T07:14:58.7076740Z Running Trivy in terraform/environments/analytical-platform-compute ... 2024-10-11T07:14:58.7097915Z 2024-10-11T07:05:22Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal" ... 2024-10-11T07:14:58.7101841Z trivy_exitcode=2

  1. Couple of actual failures

2024-10-11T07:14:58.9104770Z modules/repository/main.tf (terraform) 2024-10-11T07:14:58.9104858Z ====================================== 2024-10-11T07:14:58.9105024Z Tests: 14 (SUCCESSES: 0, FAILURES: 1, EXCEPTIONS: 13) 2024-10-11T07:14:58.9105130Z Failures: 1 (HIGH: 1, CRITICAL: 0) 2024-10-11T07:14:58.9105134Z 2024-10-11T07:14:58.9105317Z HIGH: Branch protection does not require signed commits. 2024-10-11T07:14:58.9105523Z ════════════════════════════════════════ 2024-10-11T07:14:58.9105753Z GitHub branch protection should be set to require signed commits. 2024-10-11T07:14:58.9105758Z 2024-10-11T07:14:58.9106300Z You can do this by setting the require_signed_commits attribute to 'true'. 2024-10-11T07:14:58.9106306Z 2024-10-11T07:14:58.9106435Z 2024-10-11T07:14:58.9106647Z See https://avd.aquasec.com/misconfig/avd-git-0004 2024-10-11T07:14:58.9106825Z ──────────────────────────────────────── 2024-10-11T07:14:58.9107011Z modules/repository/main.tf:62 2024-10-11T07:14:58.9107381Z via modules/repository/main.tf:56-77 (github_branch_protection.default) 2024-10-11T07:14:58.9107707Z via repositories.tf:239-260 (module.modernisation-platform-environments) 2024-10-11T07:14:58.9107868Z ──────────────────────────────────────── 2024-10-11T07:14:58.9108035Z 56 resource "github_branch_protection" "default" { 2024-10-11T07:14:58.9108112Z ..
2024-10-11T07:14:58.9108526Z 62 [ require_signed_commits = var.name == "modernisation-platform-environments" ? false : true 2024-10-11T07:14:58.9108604Z ..
2024-10-11T07:14:58.9108681Z 77 } 2024-10-11T07:14:58.9108843Z ──────────────────────────────────────── 2024-10-11T07:14:58.9108848Z 2024-10-11T07:14:58.9108864Z 2024-10-11T07:14:58.9108951Z trivy_exitcode=3

Steps to Reproduce the Problem

The nightly scheduled run has been failing all week and the errors are reproducible when run manually.

Version

No response

Modules

No response

Account

No response

mikereiddigital commented 2 hours ago

Further information from @connormaglynn

that for-each seems like it's a red herring :redherring: Since it shows as exitcode=0 on a successful run :white_tick:

2024-10-02T07:42:20.0550349Z Running Trivy in terraform/environments/ccms-ebs 2024-10-02T07:42:20.0550737Z 2024-10-02T07:33:19Z INFO [vuln] Vulnerability scanning is enabled 2024-10-02T07:42:20.0551041Z 2024-10-02T07:33:19Z INFO [misconfig] Misconfiguration scanning is enabled 2024-10-02T07:42:20.0551272Z 2024-10-02T07:33:19Z INFO [secret] Secret scanning is enabled 2024-10-02T07:42:20.0551759Z 2024-10-02T07:33:19Z INFO [secret] If your scanning is slow, please try '--scanners vuln' to disable secret scanning 2024-10-02T07:42:20.0552462Z 2024-10-02T07:33:19Z INFO [secret] Please see also https://aquasecurity.github.io/trivy/v0.55/docs/scanner/secret#recommendation for faster secret detection 2024-10-02T07:42:20.0552779Z 2024-10-02T07:33:19Z INFO [terraform scanner] Scanning root module file_path="." 2024-10-02T07:42:20.0553578Z 2024-10-02T07:33:19Z WARN [terraform parser] Variable values was not found in the environment or variable files. Evaluating may not work correctly. module="root" variables="networking" 2024-10-02T07:42:20.0554479Z 2024-10-02T07:33:19Z ERROR [terraform evaluator] Failed to expand block. Invalid "for-each" argument. Must be known and iterable. block="module.ram-ec2-retagging[0].data.aws_subnet.host" value="cty.NilVal" 2024-10-02T07:42:20.0554866Z 2024-10-02T07:33:19Z INFO Number of language-specific files num=0 2024-10-02T07:42:20.0555061Z 2024-10-02T07:33:19Z INFO Detected config files num=1 2024-10-02T07:42:20.0555153Z trivy_exitcode=0

My guess would be that it's just those new errors that need fixing :spanner: