https://github.com/andgineer/terraform-aws-cloudmap/issues/1

chechov
andgineer · Oct 18, 2024 · 9d9c8e4 · 9d9c8e4
1 parent b69ba8e
commit 9d9c8e4
Show file tree

Hide file tree

Showing 6 changed files with 10 additions and 3 deletions.
diff --git a/terraform/modules/ecs-ec2/cloudwatch.tf b/terraform/modules/ecs-ec2/cloudwatch.tf
@@ -3,6 +3,7 @@
 #
 resource "aws_cloudwatch_log_group" "this" {  # tflint-ignore: terraform_required_providers  # tfsec:ignore:aws-cloudwatch-log-group-customer-key
   #checkov:skip=CKV_AWS_158: https://docs.bridgecrew.io/docs/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
+  #checkov:skip=CKV_AWS_338: no need to retain groups
   name              = var.log_group_name
   retention_in_days = 30
 

diff --git a/terraform/modules/ecs-ec2/database.tf b/terraform/modules/ecs-ec2/database.tf
@@ -79,8 +79,10 @@ resource "aws_rds_cluster" "database" {  # tfsec:ignore:aws-rds-encrypt-cluster-
 }
 
 # is necessary for serverless v2 only
-resource "aws_rds_cluster_instance" "orthanc" {  # tfsec:ignore:aws-rds-enable-performance-insights
+resource "aws_rds_cluster_instance" "orthanc" {  # tflint-ignore: terraform_required_providers # tfsec:ignore:aws-rds-enable-performance-insights
   #checkov:skip=CKV_AWS_118: do not want to mess with monitoring ARN for the detailed monitoring
+  #checkov:skip=CKV_AWS_353: no need for performance insights
+  #checkov:skip=CKV_AWS_354: no encryption for performance insights
   identifier                 = "${var.ecs_name}-db"
   cluster_identifier         = aws_rds_cluster.database.id
   instance_class             = "db.serverless"  # serverless v2

diff --git a/terraform/modules/ecs-ec2/iam.tf b/terraform/modules/ecs-ec2/iam.tf
@@ -68,6 +68,7 @@ resource "aws_iam_role" "ecs_task_execution" {
 ## ============================== ECS Container Role ==============================
 data "aws_iam_policy_document" "ecs_instance" {
   #checkov:skip=CKV_AWS_111:
+  #checkov:skip=CKV_AWS_356:Start resource is ok in Demo
 
   # CloudWatch
   statement {

diff --git a/terraform/modules/ecs-fargate/balancer.tf b/terraform/modules/ecs-fargate/balancer.tf
@@ -33,6 +33,7 @@ resource "aws_alb_listener" "this" {
 }
 
 resource "aws_lb_target_group" "this" {  # tflint-ignore: terraform_required_providers
+  #checkov:skip=CKV_AWS_378:Ok without SSL for demo
   name        = var.ecs_name
   port        = 80
   protocol    = "HTTP"

diff --git a/terraform/modules/ecs-fargate/cloudwatch.tf b/terraform/modules/ecs-fargate/cloudwatch.tf
@@ -1,8 +1,9 @@
 #
 # Cloudwatch logging group
 #
-resource "aws_cloudwatch_log_group" "this" {  # tflint-ignore: terraform_required_providers  # tfsec:ignore:aws-cloudwatch-log-group-customer-key
+resource "aws_cloudwatch_log_group" "this" {  #tfsec:ignore:aws-cloudwatch-log-group-customer-key
   #checkov:skip=CKV_AWS_158: https://docs.bridgecrew.io/docs/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
+  #checkov:skip=CKV_AWS_338: No need to retain groups
   name              = var.log_group_name
   retention_in_days = 30
 

diff --git a/terraform/modules/ecs-fargate/iam.tf b/terraform/modules/ecs-fargate/iam.tf
@@ -61,7 +61,8 @@ resource "aws_iam_role" "ecs_task_execution" {
 
 ## ============================== ECS Container Role ==============================
 data "aws_iam_policy_document" "ecs_instance" {
-  #checkov:skip=CKV_AWS_111:
+  # checkov:skip=CKV_AWS_356:Start resource is ok in Demo
+  # checkov:skip=CKV_AWS_111:
 
     # CloudWatch
     statement {