From ce81f558ed25500290ad88368bc39db9feb1c02c Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sun, 9 Jan 2022 11:08:14 +0200
Subject: [PATCH] Address Checkov warnings.
Mostly ignore things I'm not interested in but it did find somethings.
---
functions.tf | 33 +++++++++++++++++++--------------
log-groups.tf | 1 +
s3.tf | 15 +++++++++++++++
sms-notify.tf | 32 +++++++++++++++++++-------------
sns.tf | 1 +
5 files changed, 55 insertions(+), 27 deletions(-)
diff --git a/functions.tf b/functions.tf
index 9b6b9a0..74c5367 100644
--- a/functions.tf
+++ b/functions.tf
@@ -108,20 +108,25 @@ output "timeout" {
}
resource "aws_lambda_function" "function" {
- count = length(local.functions)
- runtime = var.runtime
- function_name = local.function_names[count.index]
- role = local.lambda_role_arn
- source_code_hash = filebase64sha256("payload.zip")
- s3_bucket = local.payloads_bucket_name
- s3_key = local.payload_object_name
- s3_object_version = local.payload_object_version
- package_type = "Zip"
- handler = "${local.functions[count.index]}.handler"
- description = "${local.module} ${local.functions[count.index]} check in ${local.env}."
- memory_size = var.memory_size
- tags = local.common_tags
- timeout = var.timeout
+ # checkov:skip=CKV_AWS_50
+ # checkov:skip=CKV_AWS_116
+ # checkov:skip=CKV_AWS_117
+ # checkov:skip=CKV_AWS_173
+ count = length(local.functions)
+ runtime = var.runtime
+ function_name = local.function_names[count.index]
+ role = local.lambda_role_arn
+ source_code_hash = filebase64sha256("payload.zip")
+ s3_bucket = local.payloads_bucket_name
+ s3_key = local.payload_object_name
+ s3_object_version = local.payload_object_version
+ package_type = "Zip"
+ handler = "${local.functions[count.index]}.handler"
+ description = "${local.module} ${local.functions[count.index]} check in ${local.env}."
+ memory_size = var.memory_size
+ reserved_concurrent_executions = -1
+ tags = local.common_tags
+ timeout = var.timeout
environment {
variables = {
diff --git a/log-groups.tf b/log-groups.tf
index f0e86d6..a50e4fa 100644
--- a/log-groups.tf
+++ b/log-groups.tf
@@ -1,4 +1,5 @@
resource "aws_cloudwatch_log_group" "lambda" {
+ # checkov:skip=CKV_AWS_158
count = length(local.function_names)
name = "/aws/lambda/${local.function_names[count.index]}"
retention_in_days = var.log_retention
diff --git a/s3.tf b/s3.tf
index 2d71652..0786116 100644
--- a/s3.tf
+++ b/s3.tf
@@ -1,4 +1,8 @@
resource "aws_s3_bucket" "payloads" {
+ # checkov:skip=CKV_AWS_18
+ # checkov:skip=CKV_AWS_19
+ # checkov:skip=CKV_AWS_144
+ # checkov:skip=CKV_AWS_145
bucket = local.Name
tags = local.common_tags
acl = "private"
@@ -9,11 +13,21 @@ resource "aws_s3_bucket" "payloads" {
}
}
+
locals {
payloads_bucket_arn = aws_s3_bucket.payloads.arn
payloads_bucket_name = aws_s3_bucket.payloads.bucket
}
+resource "aws_s3_bucket_public_access_block" "payloads" {
+ bucket = aws_s3_bucket.payloads.bucket
+
+ block_public_acls = true
+ block_public_policy = true
+ ignore_public_acls = true
+ restrict_public_buckets = true
+}
+
output "payloads_bucket_arn" {
description = "ARN of the payloads S3 bucket."
value = local.payloads_bucket_arn
@@ -25,6 +39,7 @@ output "payloads_bucket_name" {
}
resource "aws_s3_bucket_object" "payload" {
+ # checkov:skip=CKV_AWS_186
bucket = local.payloads_bucket_name
key = "payload.zip"
source = "payload.zip"
diff --git a/sms-notify.tf b/sms-notify.tf
index 27047ee..a952408 100644
--- a/sms-notify.tf
+++ b/sms-notify.tf
@@ -12,19 +12,24 @@ variable "twilio_from_number" {
}
resource "aws_lambda_function" "sms_notify" {
- runtime = var.runtime
- function_name = "${local.function_name_prefix}-sms-notify"
- role = local.lambda_role_arn
- source_code_hash = filebase64sha256("payload.zip")
- s3_bucket = local.payloads_bucket_name
- s3_key = local.payload_object_name
- s3_object_version = local.payload_object_version
- package_type = "Zip"
- handler = "sms_notify.handler"
- description = "Send SMS message notification using Twilio."
- memory_size = var.memory_size
- tags = local.common_tags
- timeout = var.timeout
+ # checkov:skip=CKV_AWS_50
+ # checkov:skip=CKV_AWS_116
+ # checkov:skip=CKV_AWS_117
+ # checkov:skip=CKV_AWS_173
+ runtime = var.runtime
+ function_name = "${local.function_name_prefix}-sms-notify"
+ role = local.lambda_role_arn
+ source_code_hash = filebase64sha256("payload.zip")
+ s3_bucket = local.payloads_bucket_name
+ s3_key = local.payload_object_name
+ s3_object_version = local.payload_object_version
+ package_type = "Zip"
+ handler = "sms_notify.handler"
+ description = "Send SMS message notification using Twilio."
+ memory_size = var.memory_size
+ reserved_concurrent_executions = -1
+ tags = local.common_tags
+ timeout = var.timeout
environment {
variables = {
@@ -103,6 +108,7 @@ resource "aws_sns_topic_subscription" "sms_notify" {
]
}
resource "aws_cloudwatch_log_group" "sms_notify" {
+ # checkov:skip=CKV_AWS_158
name = "/aws/lambda/${local.function_name_prefix}-sms-notify"
retention_in_days = var.log_retention
tags = local.common_tags
diff --git a/sns.tf b/sns.tf
index 6ddf0d9..98dce86 100644
--- a/sns.tf
+++ b/sns.tf
@@ -1,4 +1,5 @@
resource "aws_sns_topic" "topic" {
+ # checkov:skip=CKV_AWS_26
name = local.Name
tags = local.common_tags
}
--
GitLab