Fix or annotate/ignore checkov issues above low

finos · Dec 6, 2023 · 6245a0e · 6245a0e
1 parent 679a407
commit 6245a0e
Show file tree

Hide file tree

Showing 6 changed files with 24 additions and 3 deletions.
diff --git a/.github/conf/checkov.yaml b/.github/conf/checkov.yaml
@@ -11,3 +11,5 @@ soft-fail: true
 skip-check:
   - CKV_TF_1 # "Ensure Terraform module sources use a commit hash"
   - CKV_K8S_21 # "The default namespace should not be used"
+  - CKV_AWS_18 # "Ensure the S3 bucket has access logging enabled"
+  - CKV_DOCKER_2 # "Ensure that HEALTHCHECK instructions have been added to container images"
diff --git a/deployment/dev_environment_cloud9/cfn/.trivyignore b/deployment/dev_environment_cloud9/cfn/.trivyignore
@@ -2,4 +2,4 @@
 AVD-AWS-0132
 AVD-AWS-0088
 AVD-AWS-0132
-AVD-AWS-0090
+AVD-AWS-0090
diff --git a/deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml b/deployment/dev_environment_cloud9/cfn/cloud9-htc-grid.yaml
@@ -276,6 +276,12 @@ Resources:
   C9OutputBucket:
     Type: AWS::S3::Bucket
     DeletionPolicy: Delete
+    Properties:
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
 
   C9OutputBucketPolicy:
     Type: 'AWS::S3::BucketPolicy'

diff --git a/deployment/grid/terraform/control_plane/openapi_private.tf b/deployment/grid/terraform/control_plane/openapi_private.tf
@@ -55,6 +55,7 @@ resource "aws_cloudwatch_log_group" "htc_private_api_cloudwatch_log_group" {
 }
 
 
+#checkov:skip=CKV_AWS_237: Create before destroy already implemented in the deployment
 resource "aws_api_gateway_rest_api" "htc_private_api" {
   name = "htc-private-api-${var.cluster_name}"
 
@@ -72,6 +73,7 @@ resource "aws_api_gateway_rest_api" "htc_private_api" {
 }
 
 
+#checkov:skip=CKV_AWS_237: Create before destroy already implemented
 resource "aws_api_gateway_deployment" "htc_private_api_deployment" {
   rest_api_id = aws_api_gateway_rest_api.htc_private_api.id
 
@@ -94,7 +96,8 @@ resource "aws_api_gateway_deployment" "htc_private_api_deployment" {
   ]
 }
 
-
+#checkov:skip=CKV_AWS_120: API Gateway caching wouldn't work for this API
+#checkov:skip=CKV2_AWS_51:[TODO] Client certificate authentication will be implemented instead of Cognito
 resource "aws_api_gateway_stage" "htc_private_api_stage" {
   rest_api_id   = aws_api_gateway_rest_api.htc_private_api.id
   deployment_id = aws_api_gateway_deployment.htc_private_api_deployment.id
@@ -113,6 +116,8 @@ resource "aws_api_gateway_stage" "htc_private_api_stage" {
   ]
 }
 
+#checkov:skip=CKV_AWS_308: API Gateway method setting caching encryption wouldn't work for this API
+#checkov:skip=CKV_AWS_225: API Gateway method setting caching wouldn't work for this API
 resource "aws_api_gateway_method_settings" "htc_private_api_method_settings" {
   rest_api_id = aws_api_gateway_rest_api.htc_private_api.id
   stage_name  = aws_api_gateway_stage.htc_private_api_stage.stage_name

diff --git a/deployment/grid/terraform/control_plane/openapi_public.tf b/deployment/grid/terraform/control_plane/openapi_public.tf
@@ -55,6 +55,7 @@ resource "aws_cloudwatch_log_group" "htc_public_api_cloudwatch_log_group" {
 }
 
 
+#checkov:skip=CKV_AWS_237: Create before destroy already implemented in the deployment
 resource "aws_api_gateway_rest_api" "htc_public_api" {
   name = "htc-public-api-${var.cluster_name}"
 
@@ -73,6 +74,7 @@ resource "aws_api_gateway_rest_api" "htc_public_api" {
 }
 
 
+#checkov:skip=CKV_AWS_237: Create before destroy already implemented
 resource "aws_api_gateway_deployment" "htc_public_api_deployment" {
   rest_api_id = aws_api_gateway_rest_api.htc_public_api.id
 
@@ -93,6 +95,9 @@ resource "aws_api_gateway_deployment" "htc_public_api_deployment" {
 }
 
 
+#checkov:skip=CKV_AWS_120: API Gateway caching wouldn't work for this API
+#checkov:skip=CKV2_AWS_51:[TODO] Client certificate authentication will be implemented instead of Cognito
+#checkov:skip=CKV2_AWS_29:[TODO] WAF Protection will be added for the public API
 resource "aws_api_gateway_stage" "htc_public_api_stage" {
   rest_api_id   = aws_api_gateway_rest_api.htc_public_api.id
   deployment_id = aws_api_gateway_deployment.htc_public_api_deployment.id
@@ -111,6 +116,9 @@ resource "aws_api_gateway_stage" "htc_public_api_stage" {
   ]
 }
 
+
+#checkov:skip=CKV_AWS_308: API Gateway method setting caching encryption wouldn't work for this API
+#checkov:skip=CKV_AWS_225: API Gateway method setting caching wouldn't work for this API
 resource "aws_api_gateway_method_settings" "htc_public_api_method_settings" {
   rest_api_id = aws_api_gateway_rest_api.htc_public_api.id
   stage_name  = aws_api_gateway_stage.htc_public_api_stage.stage_name

diff --git a/deployment/grid/terraform/control_plane/redis.tf b/deployment/grid/terraform/control_plane/redis.tf
@@ -64,7 +64,7 @@ resource "random_password" "htc_data_cache_password" {
   min_special      = 1
 }
 
-
+#checkov:skip=CKV2_AWS_50:[TODO] Make HTC Data Cache Multi AZ Configrable
 resource "aws_elasticache_replication_group" "htc_data_cache" {
   replication_group_id = "htc-data-cache-${lower(local.suffix)}"
   description          = "Replication group for htc_data_cache cluster"