Address Checkov warnings.

Mostly ignore things I'm not interested in but it did find somethings.

Address Checkov warnings.
Mostly ignore things I'm not interested in but it did find somethings.
ce81f558 · nimrod · 5dbeb94b · ce81f558 · ce81f558 · ce81f558
Commit ce81f558 authored Jan 09, 2022 by nimrod
--- a/functions.tf
+++ b/functions.tf
@@ -108,20 +108,25 @@ output "timeout" {
 }

 resource "aws_lambda_function" "function" {
-  count             = length(local.functions)
-  runtime           = var.runtime
-  function_name     = local.function_names[count.index]
-  role              = local.lambda_role_arn
-  source_code_hash  = filebase64sha256("payload.zip")
-  s3_bucket         = local.payloads_bucket_name
-  s3_key            = local.payload_object_name
-  s3_object_version = local.payload_object_version
-  package_type      = "Zip"
-  handler           = "${local.functions[count.index]}.handler"
-  description       = "${local.module} ${local.functions[count.index]} check in ${local.env}."
-  memory_size       = var.memory_size
-  tags              = local.common_tags
-  timeout           = var.timeout
+  # checkov:skip=CKV_AWS_50
+  # checkov:skip=CKV_AWS_116
+  # checkov:skip=CKV_AWS_117
+  # checkov:skip=CKV_AWS_173
+  count                          = length(local.functions)
+  runtime                        = var.runtime
+  function_name                  = local.function_names[count.index]
+  role                           = local.lambda_role_arn
+  source_code_hash               = filebase64sha256("payload.zip")
+  s3_bucket                      = local.payloads_bucket_name
+  s3_key                         = local.payload_object_name
+  s3_object_version              = local.payload_object_version
+  package_type                   = "Zip"
+  handler                        = "${local.functions[count.index]}.handler"
+  description                    = "${local.module} ${local.functions[count.index]} check in ${local.env}."
+  memory_size                    = var.memory_size
+  reserved_concurrent_executions = -1
+  tags                           = local.common_tags
+  timeout                        = var.timeout

  environment {
    variables = {

--- a/log-groups.tf
+++ b/log-groups.tf
 resource "aws_cloudwatch_log_group" "lambda" {
+  # checkov:skip=CKV_AWS_158
  count             = length(local.function_names)
  name              = "/aws/lambda/${local.function_names[count.index]}"
  retention_in_days = var.log_retention

--- a/s3.tf
+++ b/s3.tf
 resource "aws_s3_bucket" "payloads" {
+  # checkov:skip=CKV_AWS_18
+  # checkov:skip=CKV_AWS_19
+  # checkov:skip=CKV_AWS_144
+  # checkov:skip=CKV_AWS_145
  bucket        = local.Name
  tags          = local.common_tags
  acl           = "private"
@@ -9,11 +13,21 @@ resource "aws_s3_bucket" "payloads" {
  }
 }

+
 locals {
  payloads_bucket_arn  = aws_s3_bucket.payloads.arn
  payloads_bucket_name = aws_s3_bucket.payloads.bucket
 }

+resource "aws_s3_bucket_public_access_block" "payloads" {
+  bucket = aws_s3_bucket.payloads.bucket
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 output "payloads_bucket_arn" {
  description = "ARN of the payloads S3 bucket."
  value       = local.payloads_bucket_arn
@@ -25,6 +39,7 @@ output "payloads_bucket_name" {
 }

 resource "aws_s3_bucket_object" "payload" {
+  # checkov:skip=CKV_AWS_186
  bucket = local.payloads_bucket_name
  key    = "payload.zip"
  source = "payload.zip"

--- a/sms-notify.tf
+++ b/sms-notify.tf
@@ -12,19 +12,24 @@ variable "twilio_from_number" {
 }

 resource "aws_lambda_function" "sms_notify" {
-  runtime           = var.runtime
-  function_name     = "${local.function_name_prefix}-sms-notify"
-  role              = local.lambda_role_arn
-  source_code_hash  = filebase64sha256("payload.zip")
-  s3_bucket         = local.payloads_bucket_name
-  s3_key            = local.payload_object_name
-  s3_object_version = local.payload_object_version
-  package_type      = "Zip"
-  handler           = "sms_notify.handler"
-  description       = "Send SMS message notification using Twilio."
-  memory_size       = var.memory_size
-  tags              = local.common_tags
-  timeout           = var.timeout
+  # checkov:skip=CKV_AWS_50
+  # checkov:skip=CKV_AWS_116
+  # checkov:skip=CKV_AWS_117
+  # checkov:skip=CKV_AWS_173
+  runtime                        = var.runtime
+  function_name                  = "${local.function_name_prefix}-sms-notify"
+  role                           = local.lambda_role_arn
+  source_code_hash               = filebase64sha256("payload.zip")
+  s3_bucket                      = local.payloads_bucket_name
+  s3_key                         = local.payload_object_name
+  s3_object_version              = local.payload_object_version
+  package_type                   = "Zip"
+  handler                        = "sms_notify.handler"
+  description                    = "Send SMS message notification using Twilio."
+  memory_size                    = var.memory_size
+  reserved_concurrent_executions = -1
+  tags                           = local.common_tags
+  timeout                        = var.timeout

  environment {
    variables = {
@@ -103,6 +108,7 @@ resource "aws_sns_topic_subscription" "sms_notify" {
  ]
 }
 resource "aws_cloudwatch_log_group" "sms_notify" {
+  # checkov:skip=CKV_AWS_158
  name              = "/aws/lambda/${local.function_name_prefix}-sms-notify"
  retention_in_days = var.log_retention
  tags              = local.common_tags

--- a/sns.tf
+++ b/sns.tf
 resource "aws_sns_topic" "topic" {
+  # checkov:skip=CKV_AWS_26
  name = local.Name
  tags = local.common_tags
 }