fixed race conditions and trivy errors

stroeer · Sep 19, 2024 · 1bc66ef · 1bc66ef
1 parent fd30328
commit 1bc66ef
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 13 deletions.
diff --git a/examples/complete/README.md b/examples/complete/README.md
@@ -17,16 +17,16 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.32 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.4 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.32 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.2 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.4 |
 
@@ -59,5 +59,5 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Description |
 |------|-------------|
-| <a name="output_alb_dns_name"></a> [alb\_dns\_name](#output\_alb\_dns\_name) | n/a |
+| <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | n/a |
 <!-- END_TF_DOCS -->
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
@@ -77,7 +77,8 @@ module "alb" {
 }
 
 module "service" {
-  source = "../../"
+  source     = "../../"
+  depends_on = [module.vpc]
 
   cpu                           = 256
   cpu_architecture              = "ARM64"
@@ -143,6 +144,9 @@ resource "aws_security_group" "egress_all" {
   description = "Allow all outbound traffic"
   vpc_id      = module.vpc.vpc_id
 
+  # make sure to secure traffic in production environments
+  # see https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0104/#Terraform
+  #trivy:ignore:AVD-AWS-0104
   egress {
     from_port        = 0
     to_port          = 0

diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
@@ -1,3 +1,3 @@
-output "alb_dns_name" {
-  value = module.alb.dns_name
+output "endpoint" {
+  value = "http://${module.alb.dns_name}/"
 }
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.3"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9"
+      version = ">= 5.32"
     }
     random = {
       source  = "hashicorp/random"

diff --git a/examples/fixtures/context/Dockerfile b/examples/fixtures/context/Dockerfile
@@ -1,9 +1,15 @@
 FROM python:3.12-alpine
 
-ADD index.html index.html
-ADD server.py server.py
+RUN addgroup -S app && adduser -S app -G app
+WORKDIR /home/app
+
+ADD index.html /home/app/index.html
+ADD server.py /home/app/server.py
+
+RUN chown -R app:app /home/app
+
+USER app
 
-#USER app
 EXPOSE 8000
 
 ENTRYPOINT ["python3", "server.py"]
diff --git a/modules/deployment/iam_code_pipeline.tf b/modules/deployment/iam_code_pipeline.tf
@@ -69,9 +69,10 @@ data "aws_iam_policy_document" "code_pipepline_permissions" {
     resources = [aws_codebuild_project.this.arn]
   }
 
+  # cloudtrail reports that codepipeline actually requires access to `*`
+  #trivy:ignore:AVD-AWS-0057
   statement {
     actions = [
-      # cloudtrail reports that codepipeline actually requires access to `*`
       "ecs:DescribeTaskDefinition",
       "ecs:RegisterTaskDefinition",
       "ecs:TagResource"