https://github.com/andgineer/terraform-aws-cloudmap/issues/1

chechov 3

terraform/modules/common/s3.tf

@@ -8,6 +8,12 @@ resource "aws_s3_bucket" "this" {
   #checkov:skip=CKV_AWS_62: S3 bucket no notfication
   #checkov:skip=CKV_AWS_18: no logging access
   #checkov:skip=CKV2_AWS_6: no public access
+  #checkov:skip=CKV2_AWS_62: no auto rotation
+  #checkov:skip=CKV2_AWS_62: notification
+  #checkov:skip=CKV_AWS_144: no cross region replication
+  #checkov:skip=CKV_AWS_145: encrypted by KMS
+  #checkov:skip=CKV_AWS_21: no versioning
+  #checkov:skip=CKV2_AWS_61: lifecycle policy
   count  = terraform.workspace == local.common_workspace ? 1 : 0
   bucket = "andgineer-bucket"
     force_destroy = true # 'terraform destroy' will remove the S3 bucket, even if it contains objects

terraform/modules/ecs-ec2/database.tf

@@ -6,6 +6,7 @@ resource "random_password" "db" {  # tflint-ignore: terraform_required_providers
 resource "aws_secretsmanager_secret" "database" {  # tfsec:ignore:aws-ssm-secret-use-customer-key
   #checkov:skip=CKV_AWS_149: KMS encryption
   #checkov:skip=CKV_AWS_57: no rotation
+  #checkov:skip=CKV2_AWS_57: no rotation
   name                    = "${var.ecs_name}-database"
   description             = "Credentials for the database"
   recovery_window_in_days = 0 # remove AWS delete protection to ease terraform destroy
@@ -46,6 +47,7 @@ resource "aws_rds_cluster" "database" {  # tfsec:ignore:aws-rds-encrypt-cluster-
   #checkov:skip=CKV_AWS_162: no IAM auth
   #checkov:skip=CKV_AWS_324: no DB logs
   #checkov:skip=CKV2_AWS_8: backup retention
+  #checkov:skip=CKV2_AWS_27: query logging
   cluster_identifier              = "${var.ecs_name}-db"
   engine                          = "aurora-postgresql"
   engine_mode                     = "provisioned" # "serverless" for serverless v1