File tree Expand file tree Collapse file tree 7 files changed +12
-5
lines changed Expand file tree Collapse file tree 7 files changed +12
-5
lines changed Original file line number Diff line number Diff line change 9494 " cpus"
9595 " cpuset"
9696 " gitter"
97+ " imds"
9798 " netsh"
9899 " Niek"
99100 " oxsecurity"
Original file line number Diff line number Diff line change @@ -57,6 +57,8 @@ resource "aws_launch_template" "this" {
5757
5858 tags = . tags
5959
60+ # as per user decision. The module default is "required" for better security.
61+ # tfsec:ignore:aws-ec2-enforce-launch-config-http-token-imds
6062 metadata_options {
6163 http_tokens = . runner_worker_docker_autoscaler_instance . http_tokens
6264 http_put_response_hop_limit = . runner_worker_docker_autoscaler_instance . http_put_response_hop_limit
Original file line number Diff line number Diff line change @@ -13,6 +13,8 @@ locals {
1313 provided_kms_key = . kms_key_id != " " ? var. kms_key_id : " "
1414}
1515
16+ # ignored as decided by the user
17+ # tfsec:ignore:aws-cloudwatch-log-group-customer-key
1618resource "aws_cloudwatch_log_group" "environment" {
1719 count = . runner_cloudwatch . enable ? 1 : 0
1820 name = . runner_cloudwatch . log_group_name != null ? var. runner_cloudwatch . log_group_name : var. environment
@@ -22,7 +24,6 @@ resource "aws_cloudwatch_log_group" "environment" {
2224 tags = . tags
2325
2426 # ignored as decided by the user
25- # tfsec:ignore:aws-cloudwatch-log-group-customer-key
2627 # checkov:skip=CKV_AWS_158:Encryption can be enabled by user
2728 kms_key_id = . kms_key_arn
2829}
Original file line number Diff line number Diff line change @@ -41,9 +41,10 @@ resource "aws_s3_bucket" "build_cache" {
4141resource "aws_s3_bucket_versioning" "build_cache_versioning" {
4242 bucket = . build_cache . id
4343
44+ # ok as decided by the user
45+ # tfsec:ignore:aws-s3-enable-versioning
4446 versioning_configuration {
4547 # ok as decided by the user
46- # tfsec:ignore:aws-s3-enable-versioning
4748 # kics-scan ignore-line
4849 status = . cache_bucket_versioning ? " Enabled" : " Suspended"
4950 }
Original file line number Diff line number Diff line change @@ -28,13 +28,14 @@ resource "aws_cloudwatch_event_target" "terminate_instances" {
2828 arn = . terminate_runner_instances . arn
2929}
3030
31+ # ok as encryption can be activated by the user
32+ # tfsec:ignore:aws-cloudwatch-log-group-customer-key
3133resource "aws_cloudwatch_log_group" "lambda" {
3234 name = " /aws/lambda/${ var . environment } -${ var . name } "
3335 # checkov:skip=CKV_AWS_338:There is no need to store the logs for 1+ years. They are not critical.
3436 retention_in_days = . cloudwatch_logging_retention_in_days
3537
3638 # ok as encryption can be activated by the user
37- # tfsec:ignore:aws-cloudwatch-log-group-customer-key
3839 # checkov:skip=CKV_AWS_158:Encryption can be activated by the user
3940 kms_key_id = . kms_key_id
4041
Original file line number Diff line number Diff line change @@ -43,8 +43,8 @@ resource "aws_vpc_security_group_egress_rule" "docker_autoscaler_egress" {
4343}
4444
4545# tracing functions can be activated by the user
46- # tfsec:ignore:aws-lambda-enable-tracing
4746# kics-scan ignore-line
47+ # tfsec:ignore:aws-lambda-enable-tracing
4848resource "aws_lambda_function" "terminate_runner_instances" {
4949 # ts:skip=AC_AWS_0485:Tracing functions can be activated by the user
5050 # checkov:skip=CKV_AWS_50:Tracing functions can be activated by the user
Original file line number Diff line number Diff line change @@ -775,7 +775,8 @@ variable "runner_worker_docker_autoscaler_instance" {
775775EOT
776776
777777 type = object ({
778- ebs_optimized = optional (bool , true )
778+ ebs_optimized = optional (bool , true )
779+ # TODO should always be "required", right? https://aquasecurity.github.io/tfsec/v1.28.0/checks/aws/ec2/enforce-launch-config-http-token-imds/
779780 http_tokens = optional (string , " required"
780781 http_put_response_hop_limit = optional (number , 2 )
781782 monitoring = optional (bool , false )
You can’t perform that action at this time.
0 commit comments