Commit ce81f558 authored by nimrod's avatar nimrod
Browse files

Address Checkov warnings.

Mostly ignore things I'm not interested in but it did find somethings.
parent 5dbeb94b
Loading
Loading
Loading
Loading
Loading
+19 −14
Original line number Diff line number Diff line
@@ -108,6 +108,10 @@ output "timeout" {
}

resource "aws_lambda_function" "function" {
  # checkov:skip=CKV_AWS_50
  # checkov:skip=CKV_AWS_116
  # checkov:skip=CKV_AWS_117
  # checkov:skip=CKV_AWS_173
  count                          = length(local.functions)
  runtime                        = var.runtime
  function_name                  = local.function_names[count.index]
@@ -120,6 +124,7 @@ resource "aws_lambda_function" "function" {
  handler                        = "${local.functions[count.index]}.handler"
  description                    = "${local.module} ${local.functions[count.index]} check in ${local.env}."
  memory_size                    = var.memory_size
  reserved_concurrent_executions = -1
  tags                           = local.common_tags
  timeout                        = var.timeout

+1 −0
Original line number Diff line number Diff line
resource "aws_cloudwatch_log_group" "lambda" {
  # checkov:skip=CKV_AWS_158
  count             = length(local.function_names)
  name              = "/aws/lambda/${local.function_names[count.index]}"
  retention_in_days = var.log_retention
+15 −0
Original line number Diff line number Diff line
resource "aws_s3_bucket" "payloads" {
  # checkov:skip=CKV_AWS_18
  # checkov:skip=CKV_AWS_19
  # checkov:skip=CKV_AWS_144
  # checkov:skip=CKV_AWS_145
  bucket        = local.Name
  tags          = local.common_tags
  acl           = "private"
@@ -9,11 +13,21 @@ resource "aws_s3_bucket" "payloads" {
  }
}


locals {
  payloads_bucket_arn  = aws_s3_bucket.payloads.arn
  payloads_bucket_name = aws_s3_bucket.payloads.bucket
}

resource "aws_s3_bucket_public_access_block" "payloads" {
  bucket = aws_s3_bucket.payloads.bucket

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

output "payloads_bucket_arn" {
  description = "ARN of the payloads S3 bucket."
  value       = local.payloads_bucket_arn
@@ -25,6 +39,7 @@ output "payloads_bucket_name" {
}

resource "aws_s3_bucket_object" "payload" {
  # checkov:skip=CKV_AWS_186
  bucket = local.payloads_bucket_name
  key    = "payload.zip"
  source = "payload.zip"
+19 −13
Original line number Diff line number Diff line
@@ -12,6 +12,10 @@ variable "twilio_from_number" {
}

resource "aws_lambda_function" "sms_notify" {
  # checkov:skip=CKV_AWS_50
  # checkov:skip=CKV_AWS_116
  # checkov:skip=CKV_AWS_117
  # checkov:skip=CKV_AWS_173
  runtime                        = var.runtime
  function_name                  = "${local.function_name_prefix}-sms-notify"
  role                           = local.lambda_role_arn
@@ -23,6 +27,7 @@ resource "aws_lambda_function" "sms_notify" {
  handler                        = "sms_notify.handler"
  description                    = "Send SMS message notification using Twilio."
  memory_size                    = var.memory_size
  reserved_concurrent_executions = -1
  tags                           = local.common_tags
  timeout                        = var.timeout

@@ -103,6 +108,7 @@ resource "aws_sns_topic_subscription" "sms_notify" {
  ]
}
resource "aws_cloudwatch_log_group" "sms_notify" {
  # checkov:skip=CKV_AWS_158
  name              = "/aws/lambda/${local.function_name_prefix}-sms-notify"
  retention_in_days = var.log_retention
  tags              = local.common_tags
+1 −0
Original line number Diff line number Diff line
resource "aws_sns_topic" "topic" {
  # checkov:skip=CKV_AWS_26
  name = local.Name
  tags = local.common_tags
}