Address Checkov warnings.

Mostly ignore things I'm not interested in but it did find somethings.

functions.tf

@@ -108,6 +108,10 @@ output "timeout" {
 }
 
 resource "aws_lambda_function" "function" {
+  # checkov:skip=CKV_AWS_50
+  # checkov:skip=CKV_AWS_116
+  # checkov:skip=CKV_AWS_117
+  # checkov:skip=CKV_AWS_173
   count                          = length(local.functions)
   runtime                        = var.runtime
   function_name                  = local.function_names[count.index]
@@ -120,6 +124,7 @@ resource "aws_lambda_function" "function" {
   handler                        = "${local.functions[count.index]}.handler"
   description                    = "${local.module} ${local.functions[count.index]} check in ${local.env}."
   memory_size                    = var.memory_size
+  reserved_concurrent_executions = -1
   tags                           = local.common_tags
   timeout                        = var.timeout
 

log-groups.tf

 resource "aws_cloudwatch_log_group" "lambda" {
+  # checkov:skip=CKV_AWS_158
   count             = length(local.function_names)
   name              = "/aws/lambda/${local.function_names[count.index]}"
   retention_in_days = var.log_retention

s3.tf

 resource "aws_s3_bucket" "payloads" {
+  # checkov:skip=CKV_AWS_18
+  # checkov:skip=CKV_AWS_19
+  # checkov:skip=CKV_AWS_144
+  # checkov:skip=CKV_AWS_145
   bucket        = local.Name
   tags          = local.common_tags
   acl           = "private"
@@ -9,11 +13,21 @@ resource "aws_s3_bucket" "payloads" {
   }
 }
 
+
 locals {
   payloads_bucket_arn  = aws_s3_bucket.payloads.arn
   payloads_bucket_name = aws_s3_bucket.payloads.bucket
 }
 
+resource "aws_s3_bucket_public_access_block" "payloads" {
+  bucket = aws_s3_bucket.payloads.bucket
+
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
+
 output "payloads_bucket_arn" {
   description = "ARN of the payloads S3 bucket."
   value       = local.payloads_bucket_arn
@@ -25,6 +39,7 @@ output "payloads_bucket_name" {
 }
 
 resource "aws_s3_bucket_object" "payload" {
+  # checkov:skip=CKV_AWS_186
   bucket = local.payloads_bucket_name
   key    = "payload.zip"
   source = "payload.zip"

sms-notify.tf

@@ -12,6 +12,10 @@ variable "twilio_from_number" {
 }
 
 resource "aws_lambda_function" "sms_notify" {
+  # checkov:skip=CKV_AWS_50
+  # checkov:skip=CKV_AWS_116
+  # checkov:skip=CKV_AWS_117
+  # checkov:skip=CKV_AWS_173
   runtime                        = var.runtime
   function_name                  = "${local.function_name_prefix}-sms-notify"
   role                           = local.lambda_role_arn
@@ -23,6 +27,7 @@ resource "aws_lambda_function" "sms_notify" {
   handler                        = "sms_notify.handler"
   description                    = "Send SMS message notification using Twilio."
   memory_size                    = var.memory_size
+  reserved_concurrent_executions = -1
   tags                           = local.common_tags
   timeout                        = var.timeout
 
@@ -103,6 +108,7 @@ resource "aws_sns_topic_subscription" "sms_notify" {
   ]
 }
 resource "aws_cloudwatch_log_group" "sms_notify" {
+  # checkov:skip=CKV_AWS_158
   name              = "/aws/lambda/${local.function_name_prefix}-sms-notify"
   retention_in_days = var.log_retention
   tags              = local.common_tags

sns.tf

 resource "aws_sns_topic" "topic" {
+  # checkov:skip=CKV_AWS_26
   name = local.Name
   tags = local.common_tags
 }