diff --git a/functions.tf b/functions.tf
index 9b6b9a01f727a953da4170cc28b71c02ee401202..74c5367d1050d3fac22da6b6d127b60631bc930c 100644
--- a/functions.tf
+++ b/functions.tf
@@ -108,20 +108,25 @@ output "timeout" {
}
resource "aws_lambda_function" "function" {
- count = length(local.functions)
- runtime = var.runtime
- function_name = local.function_names[count.index]
- role = local.lambda_role_arn
- source_code_hash = filebase64sha256("payload.zip")
- s3_bucket = local.payloads_bucket_name
- s3_key = local.payload_object_name
- s3_object_version = local.payload_object_version
- package_type = "Zip"
- handler = "${local.functions[count.index]}.handler"
- description = "${local.module} ${local.functions[count.index]} check in ${local.env}."
- memory_size = var.memory_size
- tags = local.common_tags
- timeout = var.timeout
+ # checkov:skip=CKV_AWS_50
+ # checkov:skip=CKV_AWS_116
+ # checkov:skip=CKV_AWS_117
+ # checkov:skip=CKV_AWS_173
+ count = length(local.functions)
+ runtime = var.runtime
+ function_name = local.function_names[count.index]
+ role = local.lambda_role_arn
+ source_code_hash = filebase64sha256("payload.zip")
+ s3_bucket = local.payloads_bucket_name
+ s3_key = local.payload_object_name
+ s3_object_version = local.payload_object_version
+ package_type = "Zip"
+ handler = "${local.functions[count.index]}.handler"
+ description = "${local.module} ${local.functions[count.index]} check in ${local.env}."
+ memory_size = var.memory_size
+ reserved_concurrent_executions = -1
+ tags = local.common_tags
+ timeout = var.timeout
environment {
variables = {
diff --git a/log-groups.tf b/log-groups.tf
index f0e86d62c0629a3f30badf5ab7878f3c0d25c9cd..a50e4fa9b0dad5b06710ff1e554037afdd990551 100644
--- a/log-groups.tf
+++ b/log-groups.tf
@@ -1,4 +1,5 @@
resource "aws_cloudwatch_log_group" "lambda" {
+ # checkov:skip=CKV_AWS_158
count = length(local.function_names)
name = "/aws/lambda/${local.function_names[count.index]}"
retention_in_days = var.log_retention
diff --git a/s3.tf b/s3.tf
index 2d71652355efd0ec73adee7e1cd4fa6ba15bd97d..0786116057d31d0a8defb985a56606310807c4be 100644
--- a/s3.tf
+++ b/s3.tf
@@ -1,4 +1,8 @@
resource "aws_s3_bucket" "payloads" {
+ # checkov:skip=CKV_AWS_18
+ # checkov:skip=CKV_AWS_19
+ # checkov:skip=CKV_AWS_144
+ # checkov:skip=CKV_AWS_145
bucket = local.Name
tags = local.common_tags
acl = "private"
@@ -9,11 +13,21 @@ resource "aws_s3_bucket" "payloads" {
}
}
+
locals {
payloads_bucket_arn = aws_s3_bucket.payloads.arn
payloads_bucket_name = aws_s3_bucket.payloads.bucket
}
+resource "aws_s3_bucket_public_access_block" "payloads" {
+ bucket = aws_s3_bucket.payloads.bucket
+
+ block_public_acls = true
+ block_public_policy = true
+ ignore_public_acls = true
+ restrict_public_buckets = true
+}
+
output "payloads_bucket_arn" {
description = "ARN of the payloads S3 bucket."
value = local.payloads_bucket_arn
@@ -25,6 +39,7 @@ output "payloads_bucket_name" {
}
resource "aws_s3_bucket_object" "payload" {
+ # checkov:skip=CKV_AWS_186
bucket = local.payloads_bucket_name
key = "payload.zip"
source = "payload.zip"
diff --git a/sms-notify.tf b/sms-notify.tf
index 27047ee97eaf80d4749132367d039a6c9c007fd4..a95240836e40fe76a12db4243da0ef3e34dc7d62 100644
--- a/sms-notify.tf
+++ b/sms-notify.tf
@@ -12,19 +12,24 @@ variable "twilio_from_number" {
}
resource "aws_lambda_function" "sms_notify" {
- runtime = var.runtime
- function_name = "${local.function_name_prefix}-sms-notify"
- role = local.lambda_role_arn
- source_code_hash = filebase64sha256("payload.zip")
- s3_bucket = local.payloads_bucket_name
- s3_key = local.payload_object_name
- s3_object_version = local.payload_object_version
- package_type = "Zip"
- handler = "sms_notify.handler"
- description = "Send SMS message notification using Twilio."
- memory_size = var.memory_size
- tags = local.common_tags
- timeout = var.timeout
+ # checkov:skip=CKV_AWS_50
+ # checkov:skip=CKV_AWS_116
+ # checkov:skip=CKV_AWS_117
+ # checkov:skip=CKV_AWS_173
+ runtime = var.runtime
+ function_name = "${local.function_name_prefix}-sms-notify"
+ role = local.lambda_role_arn
+ source_code_hash = filebase64sha256("payload.zip")
+ s3_bucket = local.payloads_bucket_name
+ s3_key = local.payload_object_name
+ s3_object_version = local.payload_object_version
+ package_type = "Zip"
+ handler = "sms_notify.handler"
+ description = "Send SMS message notification using Twilio."
+ memory_size = var.memory_size
+ reserved_concurrent_executions = -1
+ tags = local.common_tags
+ timeout = var.timeout
environment {
variables = {
@@ -103,6 +108,7 @@ resource "aws_sns_topic_subscription" "sms_notify" {
]
}
resource "aws_cloudwatch_log_group" "sms_notify" {
+ # checkov:skip=CKV_AWS_158
name = "/aws/lambda/${local.function_name_prefix}-sms-notify"
retention_in_days = var.log_retention
tags = local.common_tags
diff --git a/sns.tf b/sns.tf
index 6ddf0d9e1380330a45144f574e9521c301eb095d..98dce86245b1f7295d9b386eaca48bb48e5b8a28 100644
--- a/sns.tf
+++ b/sns.tf
@@ -1,4 +1,5 @@
resource "aws_sns_topic" "topic" {
+ # checkov:skip=CKV_AWS_26
name = local.Name
tags = local.common_tags
}