Skip to content

Commit

Permalink
Rebooting GitLab may trigger ClamAV alarm (#6114)
Browse files Browse the repository at this point in the history
  • Loading branch information
dsotirho-ucsc committed Apr 12, 2024
1 parent 8997de2 commit affc2ec
Showing 1 changed file with 10 additions and 6 deletions.
16 changes: 10 additions & 6 deletions terraform/shared/shared.tf.json.template.py
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,13 @@ def conformance_pack(name: str) -> str:
'$.eventType !="AwsServiceEvent"}')
]

# The occasional deployment and/or backup of the GitLab instance requires a
# reboot, which can interrupt an ongoing ClamAV scan. Since scans are run twice
# a day, we set the alarm period to 24 hours (maximum allowed by CloudWatch) to
# allow enough time for a scan to complete following an interrupted scan.
#
clam_alarm_period = 24 * 60 * 60

tf_config = {
'data': {
'aws_iam_role': {
Expand Down Expand Up @@ -535,10 +542,7 @@ def conformance_pack(name: str) -> str:
'statistic': 'Sum',
'treat_missing_data': 'notBreaching',
'threshold': 1,
# With ClamScan running twice a day we've got a 12h period,
# plus 8h upper bound on running time, minus 2h lower bound
# on running time, giving us an 18h evaluation period.
'period': 18 * 60 * 60,
'period': clam_alarm_period,
'alarm_actions': ['${aws_sns_topic.monitoring.arn}'],
'ok_actions': ['${aws_sns_topic.monitoring.arn}']
}
Expand Down Expand Up @@ -578,8 +582,8 @@ def conformance_pack(name: str) -> str:
]
} for resource_name, period in [
('trail_logs', 10 * 60),
('clamscan', 18 * 60 * 60),
('freshclam', 18 * 60 * 60)
('clamscan', clam_alarm_period),
('freshclam', clam_alarm_period)
]
}
},
Expand Down

0 comments on commit affc2ec

Please sign in to comment.