Skip to content

Provider & Dependency Updates#16927

Draft
Aaron Robinson (ASTRobinson) wants to merge 4 commits into
mainfrom
feature/obs-plat-v6
Draft

Provider & Dependency Updates#16927
Aaron Robinson (ASTRobinson) wants to merge 4 commits into
mainfrom
feature/obs-plat-v6

Conversation

@ASTRobinson
Copy link
Copy Markdown
Contributor

@ASTRobinson Aaron Robinson (ASTRobinson) commented May 29, 2026

work in progress, provider and dependency updates...

@github-actions github-actions Bot added the environments-repository Used to exclude PRs from this repo in our Slack PR update label May 29, 2026
@ASTRobinson Aaron Robinson (ASTRobinson) had a problem deploying to observability-platform-development May 29, 2026 13:54 — with GitHub Actions Error
@ASTRobinson Aaron Robinson (ASTRobinson) had a problem deploying to observability-platform-development May 29, 2026 14:11 — with GitHub Actions Error
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 1, 2026

Checkov Scan Success

Show Output 
*****************************

Checkov will check the following folders:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source
terraform/environments/observability-platform/modules/grafana/athena-source
terraform/environments/observability-platform/modules/grafana/cloudwatch-source
terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty
terraform/environments/observability-platform/modules/grafana/contact-point/slack
terraform/environments/observability-platform/modules/grafana/team
terraform/environments/observability-platform/modules/grafana/xray-source
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
terraform/environments/observability-platform/modules/prometheus/iam-role
terraform/environments/observability-platform

*****************************

Running Checkov in terraform/environments/observability-platform
terraform scan results:

Passed checks: 42, Failed checks: 1, Skipped checks: 28

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: securityhub_metric_ingester
	File: /lambda-functions.tf:54-93
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		54 | module "securityhub_metric_ingester" {
		55 |   source  = "terraform-aws-modules/lambda/aws"
		56 |   version = "8.8.0"
		57 |
		58 |   function_name = "securityhub-metric-ingester"
		59 |   description   = "Publishes enriched Security Hub metrics for Grafana"
		60 |   handler       = "app.handler"
		61 |   runtime       = "python3.12"
		62 |   memory_size   = 512
		63 |   timeout       = 120
		64 |   tags          = local.tags
		65 |
		66 |   source_path = "${path.module}/lambda/securityhub_metrics"
		67 |
		68 |   publish                           = true
		69 |   cloudwatch_logs_retention_in_days = 90
		70 |
		71 |   environment_variables = {
		72 |     METRIC_NAMESPACE   = "ObservabilityPlatform/SecurityHub"
		73 |     METRIC_NAME        = "SecurityHubFindings"
		74 |     ACCOUNT_NAMES_JSON = jsonencode(local.securityhub_account_name_map)
		75 |   }
		76 |
		77 |   attach_policy_statements = true
		78 |   policy_statements = {
		79 |     cloudwatch = {
		80 |       sid       = "AllowPutMetricData"
		81 |       effect    = "Allow"
		82 |       actions   = ["cloudwatch:PutMetricData"]
		83 |       resources = ["*"]
		84 |     }
		85 |   }
		86 |
		87 |   allowed_triggers = {
		88 |     securityhub_events = {
		89 |       principal  = "events.amazonaws.com"
		90 |       source_arn = aws_cloudwatch_event_rule.securityhub_new_high_critical.arn
		91 |     }
		92 |   }
		93 | }


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/grafana/athena-source

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/grafana/cloudwatch-source

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/grafana/contact-point/slack

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/grafana/team

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/grafana/xray-source

checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
terraform scan results:

Passed checks: 11, Failed checks: 0, Skipped checks: 4


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform/modules/prometheus/iam-role
terraform scan results:

Passed checks: 11, Failed checks: 0, Skipped checks: 4


checkov_exitcode=1

*****************************

Running Checkov in terraform/environments/observability-platform
terraform scan results:

Passed checks: 42, Failed checks: 1, Skipped checks: 28

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
	FAILED for resource: securityhub_metric_ingester
	File: /lambda-functions.tf:54-93
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

		54 | module "securityhub_metric_ingester" {
		55 |   source  = "terraform-aws-modules/lambda/aws"
		56 |   version = "8.8.0"
		57 |
		58 |   function_name = "securityhub-metric-ingester"
		59 |   description   = "Publishes enriched Security Hub metrics for Grafana"
		60 |   handler       = "app.handler"
		61 |   runtime       = "python3.12"
		62 |   memory_size   = 512
		63 |   timeout       = 120
		64 |   tags          = local.tags
		65 |
		66 |   source_path = "${path.module}/lambda/securityhub_metrics"
		67 |
		68 |   publish                           = true
		69 |   cloudwatch_logs_retention_in_days = 90
		70 |
		71 |   environment_variables = {
		72 |     METRIC_NAMESPACE   = "ObservabilityPlatform/SecurityHub"
		73 |     METRIC_NAME        = "SecurityHubFindings"
		74 |     ACCOUNT_NAMES_JSON = jsonencode(local.securityhub_account_name_map)
		75 |   }
		76 |
		77 |   attach_policy_statements = true
		78 |   policy_statements = {
		79 |     cloudwatch = {
		80 |       sid       = "AllowPutMetricData"
		81 |       effect    = "Allow"
		82 |       actions   = ["cloudwatch:PutMetricData"]
		83 |       resources = ["*"]
		84 |     }
		85 |   }
		86 |
		87 |   allowed_triggers = {
		88 |     securityhub_events = {
		89 |       principal  = "events.amazonaws.com"
		90 |       source_arn = aws_cloudwatch_event_rule.securityhub_new_high_critical.arn
		91 |     }
		92 |   }
		93 | }


checkov_exitcode=2

TFLint Scan Success

Show Output 
*****************************

Using default config
Installing "terraform" plugin...
Installed "terraform" (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.9.1)
tflint checking:
terraform/environments/observability-platform
terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source
terraform/environments/observability-platform/modules/grafana/athena-source
terraform/environments/observability-platform/modules/grafana/cloudwatch-source
terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty
terraform/environments/observability-platform/modules/grafana/contact-point/slack
terraform/environments/observability-platform/modules/grafana/team
terraform/environments/observability-platform/modules/grafana/xray-source
terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
terraform/environments/observability-platform/modules/prometheus/iam-role
terraform/environments/observability-platform

*****************************

Running tflint in terraform/environments/observability-platform
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/grafana/amazon-prometheus-query-source
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/grafana/athena-source
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/grafana/cloudwatch-source
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/grafana/contact-point/pagerduty
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/grafana/contact-point/slack
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/grafana/team
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/grafana/xray-source
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/observability-platform/tenant-configuration
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform/modules/prometheus/iam-role
tflint_exitcode=0

*****************************

Running tflint in terraform/environments/observability-platform
tflint_exitcode=0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

environments-repository Used to exclude PRs from this repo in our Slack PR update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ASTRobinson