fix

[tfaction-app[bot]]

:x: Trivy error

Build link | trivy

Working Directory: terraform/env

rule	severity	filepath	range	message
AVD-AWS-0057	ERROR	app-runner.tf	114 ... 114	IAM policy document uses sensitive action 'ssm:GetParameters' on wildcarded resource '*'
AVD-AWS-0057	ERROR	app-runner.tf	73 ... 73	IAM policy document uses sensitive action 'ecr:DescribeImages' on wildcarded resource '*'
AVD-AWS-0057	ERROR	discord-runner.tf	58 ... 58	IAM policy document uses sensitive action 'ecr:DescribeImages' on wildcarded resource '*'
AVD-AWS-0033	INFO	ecr.tf	1 ... 7	Repository is not encrypted using KMS.
AVD-AWS-0033	INFO	ecr.tf	65 ... 71	Repository is not encrypted using KMS.
AVD-AWS-0033	INFO	ecr.tf	33 ... 39	Repository is not encrypted using KMS.
AVD-AWS-0057	ERROR	slack-app-runner.tf	60 ... 60	IAM policy document uses sensitive action 'ecr:DescribeImages' on wildcarded resource '*'

[tfaction-app[bot]]

Plan Result (terraform/env)

CI link

Plan: 0 to add, 7 to change, 0 to destroy.

• Update
  • aws_apprunner_service.all_in_api_slack
  • aws_ecr_repository.all_in_api
  • aws_ecr_repository.all_in_api_discord
  • aws_ecr_repository.all_in_api_slack
  • aws_iam_policy.access
  • aws_iam_policy.discord_access
  • aws_iam_policy.slack_access

Change Result (Click me)

```hcl # data.aws_iam_policy_document.access will be read during apply # (depends on a resource or a module with changes pending) <= data "aws_iam_policy_document" "access" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "ecr:BatchGetImage", + "ecr:DescribeImages", + "ecr:GetDownloadUrlForLayer", ] + resources = [ + "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api", ] + sid = "ReadPrivateEcr" } + statement { + actions = [ + "ecr:DescribeImages", + "ecr:GetAuthorizationToken", + "ssm:DescribeParameters", ] + resources = [ + "*", ] + sid = "AuthPrivateEcr" } } # data.aws_iam_policy_document.discord_access will be read during apply # (depends on a resource or a module with changes pending) <= data "aws_iam_policy_document" "discord_access" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "ecr:BatchGetImage", + "ecr:DescribeImages", + "ecr:GetDownloadUrlForLayer", ] + resources = [ + "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api_discord", ] + sid = "ReadPrivateEcr" } + statement { + actions = [ + "ecr:DescribeImages", + "ecr:GetAuthorizationToken", + "ssm:DescribeParameters", ] + resources = [ + "*", ] + sid = "AuthPrivateEcr" } } # data.aws_iam_policy_document.slack_access will be read during apply # (depends on a resource or a module with changes pending) <= data "aws_iam_policy_document" "slack_access" { + id = (known after apply) + json = (known after apply) + minified_json = (known after apply) + statement { + actions = [ + "ecr:BatchGetImage", + "ecr:DescribeImages", + "ecr:GetDownloadUrlForLayer", ] + resources = [ + "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api_slack", ] + sid = "ReadPrivateEcr" } + statement { + actions = [ + "ecr:DescribeImages", + "ecr:GetAuthorizationToken", + "ssm:DescribeParameters", ] + resources = [ + "*", ] + sid = "AuthPrivateEcr" } } # aws_apprunner_service.all_in_api_slack will be updated in-place ~ resource "aws_apprunner_service" "all_in_api_slack" { id = "arn:aws:apprunner:ap-northeast-1:451153100141:service/all_in_slack/a1d29e5b95024ae9bd54357249909875" tags = { "Name" = "slack-all-in-apprunner-service" } # (7 unchanged attributes hidden) ~ instance_configuration { ~ cpu = "512" -> "0.25 vCPU" ~ memory = "1024" -> "0.5 GB" # (1 unchanged attribute hidden) } # (3 unchanged blocks hidden) } # aws_ecr_repository.all_in_api will be updated in-place ~ resource "aws_ecr_repository" "all_in_api" { id = "all_in_api" ~ image_tag_mutability = "IMMUTABLE" -> "MUTABLE" name = "all_in_api" tags = {} # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # aws_ecr_repository.all_in_api_discord will be updated in-place ~ resource "aws_ecr_repository" "all_in_api_discord" { id = "all_in_api_discord" ~ image_tag_mutability = "IMMUTABLE" -> "MUTABLE" name = "all_in_api_discord" tags = {} # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # aws_ecr_repository.all_in_api_slack will be updated in-place ~ resource "aws_ecr_repository" "all_in_api_slack" { id = "all_in_api_slack" ~ image_tag_mutability = "IMMUTABLE" -> "MUTABLE" name = "all_in_api_slack" tags = {} # (4 unchanged attributes hidden) # (2 unchanged blocks hidden) } # aws_iam_policy.access will be updated in-place ~ resource "aws_iam_policy" "access" { id = "arn:aws:iam::451153100141:policy/apprunner-access-ecr" name = "apprunner-access-ecr" ~ policy = jsonencode( { - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:DescribeImages", - "ecr:BatchGetImage", ] - Effect = "Allow" - Resource = "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api" - Sid = "ReadPrivateEcr" }, - { - Action = [ - "ssm:DescribeParameters", - "ecr:GetAuthorizationToken", - "ecr:DescribeImages", ] - Effect = "Allow" - Resource = "*" - Sid = "AuthPrivateEcr" }, ] - Version = "2012-10-17" } ) -> (known after apply) tags = {} # (5 unchanged attributes hidden) } # aws_iam_policy.discord_access will be updated in-place ~ resource "aws_iam_policy" "discord_access" { id = "arn:aws:iam::451153100141:policy/apprunner-access-ecr-discord" name = "apprunner-access-ecr-discord" ~ policy = jsonencode( { - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:DescribeImages", - "ecr:BatchGetImage", ] - Effect = "Allow" - Resource = "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api_discord" - Sid = "ReadPrivateEcr" }, - { - Action = [ - "ssm:DescribeParameters", - "ecr:GetAuthorizationToken", - "ecr:DescribeImages", ] - Effect = "Allow" - Resource = "*" - Sid = "AuthPrivateEcr" }, ] - Version = "2012-10-17" } ) -> (known after apply) tags = {} # (5 unchanged attributes hidden) } # aws_iam_policy.slack_access will be updated in-place ~ resource "aws_iam_policy" "slack_access" { id = "arn:aws:iam::451153100141:policy/apprunner-access-ecr-slack" name = "apprunner-access-ecr-slack" ~ policy = jsonencode( { - Statement = [ - { - Action = [ - "ecr:GetDownloadUrlForLayer", - "ecr:DescribeImages", - "ecr:BatchGetImage", ] - Effect = "Allow" - Resource = "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api_slack" - Sid = "ReadPrivateEcr" }, - { - Action = [ - "ssm:DescribeParameters", - "ecr:GetAuthorizationToken", - "ecr:DescribeImages", ] - Effect = "Allow" - Resource = "*" - Sid = "AuthPrivateEcr" }, ] - Version = "2012-10-17" } ) -> (known after apply) tags = {} # (5 unchanged attributes hidden) } Plan: 0 to add, 7 to change, 0 to destroy. ```

[tfaction-app[bot]]

:white_check_mark: Apply Succeeded (terraform/env)

CI link

Apply complete! Resources: 0 added, 4 changed, 0 destroyed.

Details (Click me)

```hcl aws_ecr_repository.all_in_api_slack: Modifying... [id=all_in_api_slack] aws_ecr_repository.all_in_api_discord: Modifying... [id=all_in_api_discord] aws_ecr_repository.all_in_api: Modifying... [id=all_in_api] aws_ecr_repository.all_in_api_slack: Modifications complete after 2s [id=all_in_api_slack] data.aws_iam_policy_document.slack_access: Reading... data.aws_iam_policy_document.slack_access: Read complete after 0s [id=4170204483] aws_apprunner_service.all_in_api_slack: Modifying... [id=arn:aws:apprunner:ap-northeast-1:451153100141:service/all_in_slack/a1d29e5b95024ae9bd54357249909875] aws_ecr_repository.all_in_api_discord: Modifications complete after 2s [id=all_in_api_discord] data.aws_iam_policy_document.discord_access: Reading... data.aws_iam_policy_document.discord_access: Read complete after 0s [id=3945014836] aws_ecr_repository.all_in_api: Modifications complete after 2s [id=all_in_api] data.aws_iam_policy_document.access: Reading... data.aws_iam_policy_document.access: Read complete after 0s [id=2016682508] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 10s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 20s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 30s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 40s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 50s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 1m0s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 1m10s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 1m20s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 1m30s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 1m40s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 1m50s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 2m0s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 2m10s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 2m20s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 2m30s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 2m40s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 2m50s elapsed] aws_apprunner_service.all_in_api_slack: Still modifying... [id=arn:aws:apprunner:ap-northeast-1:451153...slack/a1d29e5b95024ae9bd54357249909875, 3m0s elapsed] aws_apprunner_service.all_in_api_slack: Modifications complete after 3m8s [id=arn:aws:apprunner:ap-northeast-1:451153100141:service/all_in_slack/a1d29e5b95024ae9bd54357249909875] Apply complete! Resources: 0 added, 4 changed, 0 destroyed. Outputs: discord_ecr_arn = "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api_discord" ecr_arn = "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api" slack_ecr_arn = "arn:aws:ecr:ap-northeast-1:451153100141:repository/all_in_api_slack" ```