From e7aaeb49244d9af9e81705d42f234eb59bec6572 Mon Sep 17 00:00:00 2001
From: Pat Heard <patrick.heard@cds-snc.ca>
Date: Fri, 18 Oct 2024 09:15:13 -0400
Subject: [PATCH] fix: add Trivy Java DB ECR and refresh job (#506)

Add a new ECR to hold the Trivy Java DB as this has also started
timing out with TOOMANYREQUEST errors.
---
 .github/workflows/trivy-db-refresh.yml        |  5 +-
 bin/generate_sbom/trivy_db_refresh.sh         |  9 +--
 terragrunt/aws/generate_sbom/ecr.tf           | 56 +++++++++++++++++--
 .../aws/generate_sbom/policy/lifecycle.json   | 16 ++++++
 4 files changed, 75 insertions(+), 11 deletions(-)
 create mode 100644 terragrunt/aws/generate_sbom/policy/lifecycle.json

diff --git a/.github/workflows/trivy-db-refresh.yml b/.github/workflows/trivy-db-refresh.yml
index a0af6efa..e8469c12 100644
--- a/.github/workflows/trivy-db-refresh.yml
+++ b/.github/workflows/trivy-db-refresh.yml
@@ -30,9 +30,10 @@ jobs:
         with:
           registry-type: public
 
-      - name: Refresh Trivy Database
+      - name: Refresh Trivy Databases
         run: |
-          ./bin/generate_sbom/trivy_db_refresh.sh ${{ vars.TRIVY_DB_REPOSITORY }}
+          ./bin/generate_sbom/trivy_db_refresh.sh trivy-db:latest ${{ vars.TRIVY_DB_REPOSITORY }}
+          ./bin/generate_sbom/trivy_db_refresh.sh trivy-java-db:1 ${{ vars.TRIVY_JAVA_DB_REPOSITORY }}
 
       - name: Logout of Amazon ECR
         run: docker logout ${{ steps.login-ecr.outputs.registry }}
diff --git a/bin/generate_sbom/trivy_db_refresh.sh b/bin/generate_sbom/trivy_db_refresh.sh
index 8832f7c5..2f47845e 100755
--- a/bin/generate_sbom/trivy_db_refresh.sh
+++ b/bin/generate_sbom/trivy_db_refresh.sh
@@ -8,14 +8,15 @@
 # This script expects that ECR authentication has already been performed.
 #
 
-target_repo="$1"
+trivy_db_name="$1"
+target_repo="$2"
 max_attempts=5
 attempt=0
 backoff=1
 
 while [ $attempt -lt $max_attempts ]; do
-    if oras cp public.ecr.aws/aquasecurity/trivy-db:latest "$target_repo"; then
-        echo "Trivy Database refreshed successfully."
+    if oras cp public.ecr.aws/aquasecurity/$trivy_db_name "$target_repo"; then
+        echo "$trivy_db_name refreshed successfully."
         break
     else
         attempt=$((attempt + 1))
@@ -26,6 +27,6 @@ while [ $attempt -lt $max_attempts ]; do
 done
 
 if [ $attempt -eq $max_attempts ]; then
-    echo "Failed to refresh Trivy Database after $max_attempts attempts."
+    echo "Failed to refresh $trivy_db_name database after $max_attempts attempts."
     exit 1
 fi
\ No newline at end of file
diff --git a/terragrunt/aws/generate_sbom/ecr.tf b/terragrunt/aws/generate_sbom/ecr.tf
index 5bd82471..6793af10 100644
--- a/terragrunt/aws/generate_sbom/ecr.tf
+++ b/terragrunt/aws/generate_sbom/ecr.tf
@@ -1,19 +1,30 @@
-resource "aws_ecrpublic_repository" "generate_sbom_public" {
+resource "aws_ecrpublic_repository" "generate_sbom_trivy_db" {
   provider        = aws.us-east-1
   repository_name = "${var.product_name}/generate_sbom/trivy-db"
+
   tags = {
     (var.billing_tag_key) = var.billing_tag_value
     Terraform             = true
     Product               = "${var.product_name}-${var.tool_name}"
   }
 }
+
+resource "aws_ecrpublic_repository" "generate_sbom_trivy_java_db" {
+  provider        = aws.us-east-1
+  repository_name = "${var.product_name}/generate_sbom/trivy-java-db"
+
+  tags = {
+    (var.billing_tag_key) = var.billing_tag_value
+    Terraform             = true
+    Product               = "${var.product_name}-${var.tool_name}"
+  }
+}
+
 data "aws_iam_policy_document" "sbom_public_policy_document" {
   provider = aws.us-east-1
   statement {
     sid    = "sbom_public_policy"
     effect = "Allow"
-
-
     principals {
       type        = "AWS"
       identifiers = ["*"]
@@ -40,8 +51,43 @@ data "aws_iam_policy_document" "sbom_public_policy_document" {
     }
   }
 }
-resource "aws_ecrpublic_repository_policy" "sbom_public_policy" {
+
+#
+# Attach the ECR IAM policy
+#
+resource "aws_ecrpublic_repository_policy" "generate_sbom_trivy_db" {
   provider        = aws.us-east-1
-  repository_name = aws_ecrpublic_repository.generate_sbom_public.repository_name
+  repository_name = aws_ecrpublic_repository.generate_sbom_trivy_db.repository_name
   policy          = sensitive(data.aws_iam_policy_document.sbom_public_policy_document.json)
 }
+
+resource "aws_ecrpublic_repository_policy" "generate_sbom_trivy_java_db" {
+  provider        = aws.us-east-1
+  repository_name = aws_ecrpublic_repository.generate_sbom_trivy_java_db.repository_name
+  policy          = sensitive(data.aws_iam_policy_document.sbom_public_policy_document.json)
+}
+
+#
+# Policy to expire untagged images
+#
+resource "aws_ecr_lifecycle_policy" "generate_sbom_trivy_db" {
+  provider   = aws.us-east-1
+  repository = aws_ecrpublic_repository.generate_sbom_trivy_db.repository_name
+  policy     = file("${path.module}/policy/lifecycle.json")
+}
+
+resource "aws_ecr_lifecycle_policy" "generate_sbom_trivy_java_db" {
+  provider   = aws.us-east-1
+  repository = aws_ecrpublic_repository.generate_sbom_trivy_java_db.repository_name
+  policy     = file("${path.module}/policy/lifecycle.json")
+}
+
+moved {
+  from = aws_ecrpublic_repository.generate_sbom_public
+  to   = aws_ecrpublic_repository.generate_sbom_trivy_db
+}
+
+moved {
+  from = aws_ecrpublic_repository_policy.sbom_public_policy
+  to   = aws_ecrpublic_repository_policy.generate_sbom_trivy_db
+}
diff --git a/terragrunt/aws/generate_sbom/policy/lifecycle.json b/terragrunt/aws/generate_sbom/policy/lifecycle.json
new file mode 100644
index 00000000..20b427de
--- /dev/null
+++ b/terragrunt/aws/generate_sbom/policy/lifecycle.json
@@ -0,0 +1,16 @@
+{
+  "rules": [
+    {
+      "rulePriority": 1,
+      "description": "Delete untagged images",
+      "selection": {
+        "tagStatus": "untagged",
+        "countType": "imageCountMoreThan",
+        "countNumber": 1
+      },
+      "action": {
+        "type": "expire"
+      }
+    }
+  ]
+}
\ No newline at end of file