Skip to content

Commit

Permalink
fix: add Trivy Java DB ECR and refresh job (#506)
Browse files Browse the repository at this point in the history 
Add a new ECR to hold the Trivy Java DB as this has also started
timing out with TOOMANYREQUEST errors.
  • Loading branch information
@patheard
patheard authored Oct 18, 2024
1 parent fe60329 commit e7aaeb4
Show file tree
Hide file tree
Showing 4 changed files with 75 additions and 11 deletions.
5 changes: 3 additions & 2 deletions .github/workflows/trivy-db-refresh.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,9 +30,10 @@ jobs:
with:
registry-type: public

- name: Refresh Trivy Database
- name: Refresh Trivy Databases
run: |
./bin/generate_sbom/trivy_db_refresh.sh ${{ vars.TRIVY_DB_REPOSITORY }}
./bin/generate_sbom/trivy_db_refresh.sh trivy-db:latest ${{ vars.TRIVY_DB_REPOSITORY }}
./bin/generate_sbom/trivy_db_refresh.sh trivy-java-db:1 ${{ vars.TRIVY_JAVA_DB_REPOSITORY }}
- name: Logout of Amazon ECR
run: docker logout ${{ steps.login-ecr.outputs.registry }}
9 changes: 5 additions & 4 deletions bin/generate_sbom/trivy_db_refresh.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,14 +8,15 @@
# This script expects that ECR authentication has already been performed.
#

target_repo="$1"
trivy_db_name="$1"
target_repo="$2"
max_attempts=5
attempt=0
backoff=1

while [ $attempt -lt $max_attempts ]; do
if oras cp public.ecr.aws/aquasecurity/trivy-db:latest "$target_repo"; then
echo "Trivy Database refreshed successfully."
if oras cp public.ecr.aws/aquasecurity/$trivy_db_name "$target_repo"; then
echo "$trivy_db_name refreshed successfully."
break
else
attempt=$((attempt + 1))
Expand All @@ -26,6 +27,6 @@ while [ $attempt -lt $max_attempts ]; do
done

if [ $attempt -eq $max_attempts ]; then
echo "Failed to refresh Trivy Database after $max_attempts attempts."
echo "Failed to refresh $trivy_db_name database after $max_attempts attempts."
exit 1
fi
56 changes: 51 additions & 5 deletions terragrunt/aws/generate_sbom/ecr.tf
View file
Original file line number Diff line number Diff line change
@@ -1,19 +1,30 @@
resource "aws_ecrpublic_repository" "generate_sbom_public" {
resource "aws_ecrpublic_repository" "generate_sbom_trivy_db" {
provider = aws.us-east-1
repository_name = "${var.product_name}/generate_sbom/trivy-db"

tags = {
(var.billing_tag_key) = var.billing_tag_value
Terraform = true
Product = "${var.product_name}-${var.tool_name}"
}
}

resource "aws_ecrpublic_repository" "generate_sbom_trivy_java_db" {
provider = aws.us-east-1
repository_name = "${var.product_name}/generate_sbom/trivy-java-db"

tags = {
(var.billing_tag_key) = var.billing_tag_value
Terraform = true
Product = "${var.product_name}-${var.tool_name}"
}
}

data "aws_iam_policy_document" "sbom_public_policy_document" {
provider = aws.us-east-1
statement {
sid = "sbom_public_policy"
effect = "Allow"


principals {
type = "AWS"
identifiers = ["*"]
Expand All @@ -40,8 +51,43 @@ data "aws_iam_policy_document" "sbom_public_policy_document" {
}
}
}
resource "aws_ecrpublic_repository_policy" "sbom_public_policy" {

#
# Attach the ECR IAM policy
#
resource "aws_ecrpublic_repository_policy" "generate_sbom_trivy_db" {
provider = aws.us-east-1
repository_name = aws_ecrpublic_repository.generate_sbom_public.repository_name
repository_name = aws_ecrpublic_repository.generate_sbom_trivy_db.repository_name
policy = sensitive(data.aws_iam_policy_document.sbom_public_policy_document.json)
}

resource "aws_ecrpublic_repository_policy" "generate_sbom_trivy_java_db" {
provider = aws.us-east-1
repository_name = aws_ecrpublic_repository.generate_sbom_trivy_java_db.repository_name
policy = sensitive(data.aws_iam_policy_document.sbom_public_policy_document.json)
}

#
# Policy to expire untagged images
#
resource "aws_ecr_lifecycle_policy" "generate_sbom_trivy_db" {
provider = aws.us-east-1
repository = aws_ecrpublic_repository.generate_sbom_trivy_db.repository_name
policy = file("${path.module}/policy/lifecycle.json")
}

resource "aws_ecr_lifecycle_policy" "generate_sbom_trivy_java_db" {
provider = aws.us-east-1
repository = aws_ecrpublic_repository.generate_sbom_trivy_java_db.repository_name
policy = file("${path.module}/policy/lifecycle.json")
}

moved {
from = aws_ecrpublic_repository.generate_sbom_public
to = aws_ecrpublic_repository.generate_sbom_trivy_db
}

moved {
from = aws_ecrpublic_repository_policy.sbom_public_policy
to = aws_ecrpublic_repository_policy.generate_sbom_trivy_db
}
16 changes: 16 additions & 0 deletions terragrunt/aws/generate_sbom/policy/lifecycle.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{
"rules": [
{
"rulePriority": 1,
"description": "Delete untagged images",
"selection": {
"tagStatus": "untagged",
"countType": "imageCountMoreThan",
"countNumber": 1
},
"action": {
"type": "expire"
}
}
]
}

0 comments on commit e7aaeb4

Please sign in to comment.