nimrod · nimrod · ce81f558 · ce81f558 · ce81f558 · ce81f558
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -62,6 +62,11 @@ repos:
      - id: terraform-fmt
      - id: terraform-validate
+  - repo: https://github.com/bridgecrewio/checkov.git
+    rev: 2.0.708
+    hooks:
+      - id: checkov
  - repo: https://github.com/ambv/black.git
    rev: 21.10b0
    hooks:

--- a/functions.tf
+++ b/functions.tf
@@ -108,20 +108,25 @@ output "timeout" {
 }
 resource "aws_lambda_function" "function" {
-  count             = length(local.functions)
+  # checkov:skip=CKV_AWS_50
-  runtime           = var.runtime
+  # checkov:skip=CKV_AWS_116
-  function_name     = local.function_names[count.index]
+  # checkov:skip=CKV_AWS_117
-  role              = local.lambda_role_arn
+  # checkov:skip=CKV_AWS_173
-  source_code_hash  = filebase64sha256("payload.zip")
+  count                          = length(local.functions)
-  s3_bucket         = local.payloads_bucket_name
+  runtime                        = var.runtime
-  s3_key            = local.payload_object_name
+  function_name                  = local.function_names[count.index]
-  s3_object_version = local.payload_object_version
+  role                           = local.lambda_role_arn
-  package_type      = "Zip"
+  source_code_hash               = filebase64sha256("payload.zip")
-  handler           = "${local.functions[count.index]}.handler"
+  s3_bucket                      = local.payloads_bucket_name
-  description       = "${local.module} ${local.functions[count.index]} check in ${local.env}."
+  s3_key                         = local.payload_object_name
-  memory_size       = var.memory_size
+  s3_object_version              = local.payload_object_version
-  tags              = local.common_tags
+  package_type                   = "Zip"
-  timeout           = var.timeout
+  handler                        = "${local.functions[count.index]}.handler"
+  description                    = "${local.module} ${local.functions[count.index]} check in ${local.env}."
+  memory_size                    = var.memory_size
+  reserved_concurrent_executions = -1
+  tags                           = local.common_tags
+  timeout                        = var.timeout
  environment {
    variables = {

--- a/log-groups.tf
+++ b/log-groups.tf
 resource "aws_cloudwatch_log_group" "lambda" {
+  # checkov:skip=CKV_AWS_158
  count             = length(local.function_names)
  name              = "/aws/lambda/${local.function_names[count.index]}"
  retention_in_days = var.log_retention

--- a/s3.tf
+++ b/s3.tf
 resource "aws_s3_bucket" "payloads" {
+  # checkov:skip=CKV_AWS_18
+  # checkov:skip=CKV_AWS_19
+  # checkov:skip=CKV_AWS_144
+  # checkov:skip=CKV_AWS_145
  bucket        = local.Name
  tags          = local.common_tags
  acl           = "private"
@@ -9,11 +13,21 @@ resource "aws_s3_bucket" "payloads" {
  }
 }
 locals {
  payloads_bucket_arn  = aws_s3_bucket.payloads.arn
  payloads_bucket_name = aws_s3_bucket.payloads.bucket
 }
+resource "aws_s3_bucket_public_access_block" "payloads" {
+  bucket = aws_s3_bucket.payloads.bucket
+  block_public_acls       = true
+  block_public_policy     = true
+  ignore_public_acls      = true
+  restrict_public_buckets = true
+}
 output "payloads_bucket_arn" {
  description = "ARN of the payloads S3 bucket."
  value       = local.payloads_bucket_arn
@@ -25,6 +39,7 @@ output "payloads_bucket_name" {
 }
 resource "aws_s3_bucket_object" "payload" {
+  # checkov:skip=CKV_AWS_186
  bucket = local.payloads_bucket_name
  key    = "payload.zip"
  source = "payload.zip"

--- a/sms-notify.tf
+++ b/sms-notify.tf
@@ -12,19 +12,24 @@ variable "twilio_from_number" {
 }
 resource "aws_lambda_function" "sms_notify" {
-  runtime           = var.runtime
+  # checkov:skip=CKV_AWS_50
-  function_name     = "${local.function_name_prefix}-sms-notify"
+  # checkov:skip=CKV_AWS_116
-  role              = local.lambda_role_arn
+  # checkov:skip=CKV_AWS_117
-  source_code_hash  = filebase64sha256("payload.zip")
+  # checkov:skip=CKV_AWS_173
-  s3_bucket         = local.payloads_bucket_name
+  runtime                        = var.runtime
-  s3_key            = local.payload_object_name
+  function_name                  = "${local.function_name_prefix}-sms-notify"
-  s3_object_version = local.payload_object_version
+  role                           = local.lambda_role_arn
-  package_type      = "Zip"
+  source_code_hash               = filebase64sha256("payload.zip")
-  handler           = "sms_notify.handler"
+  s3_bucket                      = local.payloads_bucket_name
-  description       = "Send SMS message notification using Twilio."
+  s3_key                         = local.payload_object_name
-  memory_size       = var.memory_size
+  s3_object_version              = local.payload_object_version
-  tags              = local.common_tags
+  package_type                   = "Zip"
-  timeout           = var.timeout
+  handler                        = "sms_notify.handler"
+  description                    = "Send SMS message notification using Twilio."
+  memory_size                    = var.memory_size
+  reserved_concurrent_executions = -1
+  tags                           = local.common_tags
+  timeout                        = var.timeout
  environment {
    variables = {
@@ -103,6 +108,7 @@ resource "aws_sns_topic_subscription" "sms_notify" {
  ]
 }
 resource "aws_cloudwatch_log_group" "sms_notify" {
+  # checkov:skip=CKV_AWS_158
  name              = "/aws/lambda/${local.function_name_prefix}-sms-notify"
  retention_in_days = var.log_retention
  tags              = local.common_tags

--- a/sns.tf
+++ b/sns.tf
 resource "aws_sns_topic" "topic" {
+  # checkov:skip=CKV_AWS_26
  name = local.Name
  tags = local.common_tags
 }