From 1bc66ef65216373c345fd6061e365e9ab3ada6b9 Mon Sep 17 00:00:00 2001
From: Moritz Zimmer <moritzzimmer@users.noreply.github.com>
Date: Thu, 19 Sep 2024 08:58:08 +0200
Subject: [PATCH] fixed race conditions and trivy errors

---
 examples/complete/README.md             |  8 ++++----
 examples/complete/main.tf               |  6 +++++-
 examples/complete/outputs.tf            |  4 ++--
 examples/complete/versions.tf           |  4 ++--
 examples/fixtures/context/Dockerfile    | 12 +++++++++---
 modules/deployment/iam_code_pipeline.tf |  3 ++-
 6 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/examples/complete/README.md b/examples/complete/README.md
index e004ebd..e3fd2e9 100644
--- a/examples/complete/README.md
+++ b/examples/complete/README.md
@@ -17,8 +17,8 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 4.9 |
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.32 |
 | <a name="requirement_null"></a> [null](#requirement\_null) | >= 3.2 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | >= 3.4 |
 
@@ -26,7 +26,7 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 4.9 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.32 |
 | <a name="provider_null"></a> [null](#provider\_null) | >= 3.2 |
 | <a name="provider_random"></a> [random](#provider\_random) | >= 3.4 |
 
@@ -59,5 +59,5 @@ Note that this example may create resources which cost money. Run `terraform des
 
 | Name | Description |
 |------|-------------|
-| <a name="output_alb_dns_name"></a> [alb\_dns\_name](#output\_alb\_dns\_name) | n/a |
+| <a name="output_endpoint"></a> [endpoint](#output\_endpoint) | n/a |
 <!-- END_TF_DOCS -->
diff --git a/examples/complete/main.tf b/examples/complete/main.tf
index 9cd2610..bcacdd6 100644
--- a/examples/complete/main.tf
+++ b/examples/complete/main.tf
@@ -77,7 +77,8 @@ module "alb" {
 }
 
 module "service" {
-  source = "../../"
+  source     = "../../"
+  depends_on = [module.vpc]
 
   cpu                           = 256
   cpu_architecture              = "ARM64"
@@ -143,6 +144,9 @@ resource "aws_security_group" "egress_all" {
   description = "Allow all outbound traffic"
   vpc_id      = module.vpc.vpc_id
 
+  # make sure to secure traffic in production environments
+  # see https://avd.aquasec.com/misconfig/aws/ec2/avd-aws-0104/#Terraform
+  #trivy:ignore:AVD-AWS-0104
   egress {
     from_port        = 0
     to_port          = 0
diff --git a/examples/complete/outputs.tf b/examples/complete/outputs.tf
index 7e39485..521a1b9 100644
--- a/examples/complete/outputs.tf
+++ b/examples/complete/outputs.tf
@@ -1,3 +1,3 @@
-output "alb_dns_name" {
-  value = module.alb.dns_name
+output "endpoint" {
+  value = "http://${module.alb.dns_name}/"
 }
diff --git a/examples/complete/versions.tf b/examples/complete/versions.tf
index 96995bf..0b4c16e 100644
--- a/examples/complete/versions.tf
+++ b/examples/complete/versions.tf
@@ -1,10 +1,10 @@
 terraform {
-  required_version = ">= 1.0"
+  required_version = ">= 1.3"
 
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = ">= 4.9"
+      version = ">= 5.32"
     }
     random = {
       source  = "hashicorp/random"
diff --git a/examples/fixtures/context/Dockerfile b/examples/fixtures/context/Dockerfile
index 61cb2bc..b348627 100644
--- a/examples/fixtures/context/Dockerfile
+++ b/examples/fixtures/context/Dockerfile
@@ -1,9 +1,15 @@
 FROM python:3.12-alpine
 
-ADD index.html index.html
-ADD server.py server.py
+RUN addgroup -S app && adduser -S app -G app
+WORKDIR /home/app
+
+ADD index.html /home/app/index.html
+ADD server.py /home/app/server.py
+
+RUN chown -R app:app /home/app
+
+USER app
 
-#USER app
 EXPOSE 8000
 
 ENTRYPOINT ["python3", "server.py"]
diff --git a/modules/deployment/iam_code_pipeline.tf b/modules/deployment/iam_code_pipeline.tf
index d2971ae..5338bb9 100644
--- a/modules/deployment/iam_code_pipeline.tf
+++ b/modules/deployment/iam_code_pipeline.tf
@@ -69,9 +69,10 @@ data "aws_iam_policy_document" "code_pipepline_permissions" {
     resources = [aws_codebuild_project.this.arn]
   }
 
+  # cloudtrail reports that codepipeline actually requires access to `*`
+  #trivy:ignore:AVD-AWS-0057
   statement {
     actions = [
-      # cloudtrail reports that codepipeline actually requires access to `*`
       "ecs:DescribeTaskDefinition",
       "ecs:RegisterTaskDefinition",
       "ecs:TagResource"