https://github.com/andgineer/terraform-aws-cloudmap/issues/1

tfsec fixes

terraform/modules/ecs-ec2/cloudwatch.tf

@@ -1,7 +1,7 @@
 #
 # CloudWatch logging group
 #
-resource "aws_cloudwatch_log_group" "this" {  # tflint-ignore: terraform_required_providers
+resource "aws_cloudwatch_log_group" "this" {  # tflint-ignore: terraform_required_providers  # tfsec:ignore:aws-cloudwatch-log-group-customer-key
   #checkov:skip=CKV_AWS_158: https://docs.bridgecrew.io/docs/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
   name              = var.log_group_name
   retention_in_days = 30

terraform/modules/ecs-ec2/database.tf

@@ -3,7 +3,7 @@ resource "random_password" "db" {  # tflint-ignore: terraform_required_providers
   special = false
 }
 
-resource "aws_secretsmanager_secret" "database" {
+resource "aws_secretsmanager_secret" "database" {  # tfsec:ignore:aws-ssm-secret-use-customer-key
   #checkov:skip=CKV_AWS_149: KMS encryption
   name                    = "${var.ecs_name}-database"
   description             = "Credentials for the database"
@@ -39,7 +39,7 @@ resource "aws_db_subnet_group" "this" {
   tags       = var.tags
 }
 
-resource "aws_rds_cluster" "database" {
+resource "aws_rds_cluster" "database" {  # tfsec:ignore:aws-rds-encrypt-cluster-storage-data
   #checkov:skip=CKV_AWS_139: Deletion protection
   #checkov:skip=CKV_AWS_327: KMS encryption
   #checkov:skip=CKV_AWS_162: no IAM auth
@@ -79,7 +79,7 @@ resource "aws_rds_cluster" "database" {
 }
 
 # is necessary for serverless v2 only
-resource "aws_rds_cluster_instance" "orthanc" {
+resource "aws_rds_cluster_instance" "orthanc" {  # tfsec:ignore:aws-rds-enable-performance-insights
   #checkov:skip=CKV_AWS_118: do not want to mess with monitoring ARN for the detailed monitoring
   identifier                 = "${var.ecs_name}-db"
   cluster_identifier         = aws_rds_cluster.database.id

terraform/modules/ecs-ec2/ec2.tf

@@ -20,7 +20,7 @@ resource "aws_launch_configuration" "this" {
 #  key_name             = "andgineer"
   #checkov:skip=CKV_AWS_8: https://docs.bridgecrew.io/docs/general_13
 
-  root_block_device {
+  root_block_device {  # tfsec:ignore:aws-ec2-enable-launch-config-at-rest-encryption
     volume_type = "gp2"
     volume_size = "10"
   }

terraform/modules/ecs-fargate/balancer.tf

@@ -3,7 +3,7 @@
 ##
 #
 
-resource "aws_alb" "this" {
+resource "aws_alb" "this" {  # tfsec:ignore:aws-elb-drop-invalid-headers
   #checkov:skip=CKV_AWS_91:
   #checkov:skip=CKV_AWS_131:
   #checkov:skip=CKV_AWS_150:
@@ -22,7 +22,7 @@ resource "aws_alb_listener" "this" {
   #checkov:skip=CKV_AWS_103:
   load_balancer_arn = aws_alb.this.arn
   port              = 80
-  protocol          = "HTTP"
+  protocol          = "HTTP"  # tfsec:ignore:aws-elb-http-not-used
 
   default_action {
     type             = "forward"

terraform/modules/ecs-fargate/cloudwatch.tf

@@ -1,7 +1,7 @@
 #
 # Cloudwatch logging group
 #
-resource "aws_cloudwatch_log_group" "this" {  # tflint-ignore: terraform_required_providers
+resource "aws_cloudwatch_log_group" "this" {  # tflint-ignore: terraform_required_providers  # tfsec:ignore:aws-cloudwatch-log-group-customer-key
   #checkov:skip=CKV_AWS_158: https://docs.bridgecrew.io/docs/ensure-that-cloudwatch-log-group-is-encrypted-by-kms
   name              = var.log_group_name
   retention_in_days = 30

terraform/my-application/main.tf

@@ -40,7 +40,7 @@ data "aws_security_group" "sg_default" {
 
 ## Modules
 
-module "ecs-ec2" {
+module "ecs-ec2" {  # tfsec:ignore:aws-iam-no-policy-wildcards
   source = "../modules/ecs-ec2/"
 
   account_id = data.aws_caller_identity.current.account_id

terraform/my-application/versions.tf

@@ -2,6 +2,7 @@ terraform {
   required_providers {
     aws = {
       source = "hashicorp/aws"
+      version = ">= 3.0"
     }
   }
   required_version = ">= 1.0"