Skip to content

Add Scanner Module #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add Scanner Module #82

wants to merge 1 commit into from

Conversation

asteel-gsa
Copy link
Contributor

🎫 Addresses issue: #41
This resolves #41 when it merges.

🛠 Summary of changes

Adds a scanner module to the shared terraform. This was created for the FAC to satisfy an ATO requirement which wanted us to scan and detect malicious fragments for all files in the s3. The flask app that we made looks into the target s3, scans everything, waits, and then rescans. We send off an alert to new relic and move the file to a different s3 bucket to quarantine it. None of that functionality is present in this module, and does require a custom solution depending on the teams tech stack to use.

TF Tests

I wrote the baseline tests, but since this module both requires a service_binding but has no default, perhaps you might be willing to take a look at this @rahearn

Note

This is fully complete on porting over, so feel free to edit however you would like @rahearn @mogul . I have a few cleanup tasks to do for the FAC, but wanted to get this PR out so you have it and can bring it through when you would like!

📜 Testing Plan

This was tested using the following:

locals {
  scanner_name = "file-scanner"
}

data "cloudfoundry_org" "org" {
  name = var.cf_org_name
}

data "cloudfoundry_space" "space" {
  name = var.cf_space_name
  org  = data.cloudfoundry_org.org.id
}

resource "cloudfoundry_service_instance" "clamav_ups" {
  name        = "clamav_ups"
  type        = "user-provided"
  tags        = ["clamav-ups"]
  space       = data.cloudfoundry_space.space.id
  credentials = <<CLAMAVUPS
    {"AV_SCAN_URL": "${local.scan_url}"}
  CLAMAVUPS
}

locals {
  scan_url = "https://clamav-${var.cf_space_name}.apps.internal:61443/scan"
}

module "file-scanner" {
  source               = "../scanner"
  name                 = local.scanner_name
  cf_org_name          = var.cf_org_name
  github_repo_name     = "fac-periodic-scanner"
  src_code_folder_name = ""
  cf_space = {
    id   = data.cloudfoundry_space.space.id
    name = var.cf_space_name
  }
  buildpacks        = ["https://github.com/cloudfoundry/python-buildpack"]
  https_proxy_url   = var.https_proxy_url
  scanner_instances = 1
  scanner_memory    = "512M"
  disk_quota        = "512M"
  service_bindings = {
    "${cloudfoundry_service_instance.clamav_ups.name}" = ""
  }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Incorporate FAC REST File Scanner into Shared Modules

1 participant

@asteel-gsa