remove admin_enabled #131

somesylvie · 2024-08-21T16:53:58Z

Description

Fortify wants us to not have admin_enabled set to true on the container registry. This PR changes that setting and turns on container_registry_use_managed_identity instead. To test this, we deployed to both a Flexion environment (this PR env) and a CDC one (dev) and confirmed the app deployed successfully and was running

Issue

CDCgov/trusted-intermediary#1209

Co-Authored-By: jcrichlake <145698165+jcrichlake@users.noreply.github.com> Co-Authored-By: jherrflexion <118225331+jherrflexion@users.noreply.github.com> Co-Authored-By: halprin <halprin@users.noreply.github.com> Co-Authored-By: Samuel Aquino <saquino@flexion.us> Co-Authored-By: Bella L. Quintero <96704946+pluckyswan@users.noreply.github.com>

Co-Authored-By: jcrichlake <145698165+jcrichlake@users.noreply.github.com> Co-Authored-By: Bella L. Quintero <96704946+pluckyswan@users.noreply.github.com>

pluckyswan

Would it be beneficial to include why Fortify wants this?

halprin

Just a question on whether we can remove a small bit of code.

halprin · 2024-08-22T14:20:40Z

operations/template/app.tf

@@ -53,6 +52,8 @@ resource "azurerm_linux_web_app" "sftp" {
    health_check_path                 = "/health"
    health_check_eviction_time_in_min = 5

+    container_registry_use_managed_identity = true


Down below on what is currently line 84 and 85, we have...

DOCKER_REGISTRY_SERVER_USERNAME = azurerm_container_registry.registry.admin_username DOCKER_REGISTRY_SERVER_PASSWORD = azurerm_container_registry.registry.admin_password

Can we remove those lines and this continues to work?

We can try it and find out 😅

Co-Authored-By: jcrichlake <145698165+jcrichlake@users.noreply.github.com> Co-Authored-By: Bella L. Quintero <96704946+pluckyswan@users.noreply.github.com> Co-Authored-By: halprin <halprin@users.noreply.github.com> Co-Authored-By: Samuel Aquino <saquino@flexion.us>

Co-authored-by: saquino0827 <saquino@flexion.us>

somesylvie · 2024-08-26T15:21:29Z

Would it be beneficial to include why Fortify wants this?

The Fortify rec is actually pretty vague - this is all it says

sonarcloud · 2024-08-26T15:24:07Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

This reverts commit a25f645.

This reverts commit a25f645 - we need add'l permissions from CDC for this to work in staging

This reverts commit 8551b37.

somesylvie temporarily deployed to pr August 21, 2024 16:54 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 21, 2024 16:59 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 21, 2024 17:01 — with GitHub Actions Inactive

try setting container_registry_use_managed_identity

19e620c

Co-Authored-By: jcrichlake <145698165+jcrichlake@users.noreply.github.com> Co-Authored-By: Bella L. Quintero <96704946+pluckyswan@users.noreply.github.com>

somesylvie temporarily deployed to pr August 21, 2024 17:12 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 21, 2024 17:14 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 21, 2024 17:16 — with GitHub Actions Inactive

somesylvie had a problem deploying to dev August 21, 2024 17:21 — with GitHub Actions Failure

somesylvie temporarily deployed to dev August 21, 2024 17:24 — with GitHub Actions Inactive

somesylvie temporarily deployed to dev August 21, 2024 17:26 — with GitHub Actions Inactive

somesylvie temporarily deployed to dev August 21, 2024 17:28 — with GitHub Actions Inactive

somesylvie requested review from halprin and jcrichlake August 21, 2024 17:32

somesylvie marked this pull request as ready for review August 21, 2024 17:32

pluckyswan reviewed Aug 21, 2024

View reviewed changes

halprin reviewed Aug 22, 2024

View reviewed changes

remove unused vars

6984925

Co-Authored-By: jcrichlake <145698165+jcrichlake@users.noreply.github.com> Co-Authored-By: Bella L. Quintero <96704946+pluckyswan@users.noreply.github.com> Co-Authored-By: halprin <halprin@users.noreply.github.com> Co-Authored-By: Samuel Aquino <saquino@flexion.us>

somesylvie temporarily deployed to dev August 22, 2024 14:29 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 22, 2024 14:29 — with GitHub Actions Inactive

somesylvie temporarily deployed to dev August 22, 2024 14:31 — with GitHub Actions Inactive

somesylvie temporarily deployed to dev August 22, 2024 14:32 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 22, 2024 14:33 — with GitHub Actions Inactive

make tf format happy

1f2a8ae

Co-Authored-By: jcrichlake <145698165+jcrichlake@users.noreply.github.com> Co-Authored-By: Bella L. Quintero <96704946+pluckyswan@users.noreply.github.com> Co-Authored-By: halprin <halprin@users.noreply.github.com> Co-Authored-By: Samuel Aquino <saquino@flexion.us>

somesylvie temporarily deployed to pr August 22, 2024 14:34 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 22, 2024 14:36 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 22, 2024 14:38 — with GitHub Actions Inactive

somesylvie had a problem deploying to dev August 22, 2024 14:59 — with GitHub Actions Failure

somesylvie had a problem deploying to pr August 22, 2024 14:59 — with GitHub Actions Failure

somesylvie had a problem deploying to pr August 22, 2024 15:00 — with GitHub Actions Failure

fixed terraform linting

1bc9880

Co-authored-by: saquino0827 <saquino@flexion.us>

pluckyswan had a problem deploying to pr August 22, 2024 15:47 — with GitHub Actions Failure

pluckyswan temporarily deployed to pr August 22, 2024 16:04 — with GitHub Actions Inactive

pluckyswan temporarily deployed to pr August 22, 2024 16:06 — with GitHub Actions Inactive

pluckyswan temporarily deployed to pr August 22, 2024 16:09 — with GitHub Actions Inactive

Merge branch 'main' into turn-off-admin_enabled

e9c6117

somesylvie temporarily deployed to pr August 26, 2024 15:22 — with GitHub Actions Inactive

somesylvie temporarily deployed to pr August 26, 2024 15:25 — with GitHub Actions Inactive

somesylvie deployed to pr August 26, 2024 15:27 — with GitHub Actions View deployment

pluckyswan approved these changes Aug 26, 2024

View reviewed changes

somesylvie merged commit a25f645 into main Aug 26, 2024
14 checks passed

somesylvie deleted the turn-off-admin_enabled branch August 26, 2024 16:30

somesylvie temporarily deployed to pr August 26, 2024 16:30 — with GitHub Actions Inactive

somesylvie added a commit that referenced this pull request Aug 26, 2024

Revert "remove admin_enabled (#131)"

3a63320

This reverts commit a25f645.

somesylvie mentioned this pull request Aug 26, 2024

Revert "remove admin_enabled" #135

Merged

somesylvie added a commit that referenced this pull request Aug 26, 2024

Revert "remove admin_enabled (#131)" (#135)

8551b37

This reverts commit a25f645 - we need add'l permissions from CDC for this to work in staging

somesylvie added a commit that referenced this pull request Aug 26, 2024

Revert "Revert "remove admin_enabled (#131)" (#135)"

fa3b150

This reverts commit 8551b37.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

remove admin_enabled #131

remove admin_enabled #131

somesylvie commented Aug 21, 2024 •

edited

Loading

pluckyswan left a comment

halprin left a comment

halprin Aug 22, 2024

somesylvie Aug 22, 2024

somesylvie commented Aug 26, 2024

sonarcloud bot commented Aug 26, 2024

remove admin_enabled #131

remove admin_enabled #131

Conversation

somesylvie commented Aug 21, 2024 • edited Loading

Description

Issue

pluckyswan left a comment

Choose a reason for hiding this comment

halprin left a comment

Choose a reason for hiding this comment

halprin Aug 22, 2024

Choose a reason for hiding this comment

somesylvie Aug 22, 2024

Choose a reason for hiding this comment

somesylvie commented Aug 26, 2024

sonarcloud bot commented Aug 26, 2024

Quality Gate passed

somesylvie commented Aug 21, 2024 •

edited

Loading