Skip to content

Commit fdef7ea

Browse files
lgallardlgallard
committed
fix: Format Terraform files and exclude test fixtures from security scanning
Addresses #118 - Security scanning improvements - Add .checkov.yml configuration to exclude test/ and examples/ directories - Update security workflow to use configuration file - Add inline skip annotation for test DynamoDB table - Run terraform fmt -recursive to fix formatting issues - Exclude test paths from tfsec scanning Test fixtures are temporary resources and don't need production security constraints. Fixes Terraform validation failures in CI/CD pipeline.
1 parent 99778ad commit fdef7ea

File tree

10 files changed

+142
-142
lines changed

10 files changed

+142
-142
lines changed

examples/secure_backup_configuration/kms.tf

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
# Primary backup vault KMS key
44
resource "aws_kms_key" "backup_key" {
55
description = "KMS key for ${var.project_name} ${var.environment} backup encryption"
6-
6+
77
# Security-focused key policy
88
policy = jsonencode({
99
Version = "2012-10-17"
@@ -54,11 +54,11 @@ resource "aws_kms_key" "backup_key" {
5454
}
5555
]
5656
})
57-
57+
5858
# Security settings
5959
deletion_window_in_days = 10
6060
enable_key_rotation = true
61-
61+
6262
tags = merge(local.common_tags, {
6363
Name = "${var.project_name}-${var.environment}-backup-key"
6464
Type = "backup-encryption"
@@ -74,9 +74,9 @@ resource "aws_kms_alias" "backup_key" {
7474
# Cross-region backup KMS key
7575
resource "aws_kms_key" "cross_region_backup_key" {
7676
count = var.enable_cross_region_backup ? 1 : 0
77-
77+
7878
description = "KMS key for ${var.project_name} ${var.environment} cross-region backup encryption"
79-
79+
8080
policy = jsonencode({
8181
Version = "2012-10-17"
8282
Statement = [
@@ -111,32 +111,32 @@ resource "aws_kms_key" "cross_region_backup_key" {
111111
}
112112
]
113113
})
114-
114+
115115
deletion_window_in_days = 10
116116
enable_key_rotation = true
117-
117+
118118
tags = merge(local.common_tags, {
119119
Name = "${var.project_name}-${var.environment}-cross-region-backup-key"
120120
Type = "cross-region-backup-encryption"
121121
})
122-
122+
123123
provider = aws.cross_region
124124
}
125125

126126
# Cross-region KMS key alias
127127
resource "aws_kms_alias" "cross_region_backup_key" {
128128
count = var.enable_cross_region_backup ? 1 : 0
129-
129+
130130
name = "alias/${var.project_name}-${var.environment}-cross-region-backup"
131131
target_key_id = aws_kms_key.cross_region_backup_key[0].key_id
132-
132+
133133
provider = aws.cross_region
134134
}
135135

136136
# KMS key for SNS encryption
137137
resource "aws_kms_key" "sns_key" {
138138
description = "KMS key for ${var.project_name} ${var.environment} SNS encryption"
139-
139+
140140
policy = jsonencode({
141141
Version = "2012-10-17"
142142
Statement = [
@@ -179,10 +179,10 @@ resource "aws_kms_key" "sns_key" {
179179
}
180180
]
181181
})
182-
182+
183183
deletion_window_in_days = 10
184184
enable_key_rotation = true
185-
185+
186186
tags = merge(local.common_tags, {
187187
Name = "${var.project_name}-${var.environment}-sns-key"
188188
Type = "sns-encryption"

examples/secure_backup_configuration/main.tf

Lines changed: 37 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ locals {
1111
SecurityLevel = "high"
1212
Compliance = "required"
1313
}
14-
14+
1515
vault_name = "${var.project_name}-${var.environment}-secure-vault"
1616
plan_name = "${var.project_name}-${var.environment}-secure-plan"
1717
}
@@ -23,37 +23,37 @@ module "backup" {
2323
# Vault configuration with security controls
2424
vault_name = local.vault_name
2525
vault_kms_key_arn = aws_kms_key.backup_key.arn
26-
26+
2727
# Enable vault lock for compliance
2828
locked = var.enable_vault_lock
2929
changeable_for_days = var.vault_lock_changeable_days
30-
30+
3131
# Security-focused retention policies
3232
min_retention_days = var.min_retention_days
3333
max_retention_days = var.max_retention_days
34-
34+
3535
# Backup plan with security controls
3636
plan_name = local.plan_name
37-
37+
3838
rules = [
3939
{
4040
name = "daily-secure-backup"
41-
schedule = "cron(0 5 ? * * *)" # 5 AM UTC daily
42-
start_window = 480 # 8 hours
43-
completion_window = 10080 # 7 days
41+
schedule = "cron(0 5 ? * * *)" # 5 AM UTC daily
42+
start_window = 480 # 8 hours
43+
completion_window = 10080 # 7 days
4444
enable_continuous_backup = var.enable_continuous_backup
45-
45+
4646
lifecycle = {
47-
cold_storage_after = 30 # Move to cold storage after 30 days
47+
cold_storage_after = 30 # Move to cold storage after 30 days
4848
delete_after = var.backup_retention_days
4949
}
50-
50+
5151
# Security-focused tagging
5252
recovery_point_tags = merge(local.common_tags, {
5353
BackupType = "daily"
5454
Encrypted = "true"
5555
})
56-
56+
5757
# Cross-region backup with security controls
5858
copy_actions = var.enable_cross_region_backup ? [
5959
{
@@ -67,37 +67,37 @@ module "backup" {
6767
},
6868
{
6969
name = "weekly-secure-backup"
70-
schedule = "cron(0 6 ? * SUN *)" # 6 AM UTC on Sundays
70+
schedule = "cron(0 6 ? * SUN *)" # 6 AM UTC on Sundays
7171
start_window = 480
7272
completion_window = 10080
7373
enable_continuous_backup = false
74-
74+
7575
lifecycle = {
76-
cold_storage_after = 90 # Move to cold storage after 90 days
76+
cold_storage_after = 90 # Move to cold storage after 90 days
7777
delete_after = var.weekly_backup_retention_days
7878
}
79-
79+
8080
recovery_point_tags = merge(local.common_tags, {
8181
BackupType = "weekly"
8282
Encrypted = "true"
8383
})
8484
}
8585
]
86-
86+
8787
# Secure backup selections
8888
selections = {
8989
"production-databases" = {
9090
resources = var.database_resources
91-
91+
9292
# Security-focused resource selection
9393
conditions = {
9494
"string_equals" = {
95-
"aws:ResourceTag/Environment" = var.environment
96-
"aws:ResourceTag/SecurityLevel" = "high"
95+
"aws:ResourceTag/Environment" = var.environment
96+
"aws:ResourceTag/SecurityLevel" = "high"
9797
"aws:ResourceTag/BackupRequired" = "true"
9898
}
9999
}
100-
100+
101101
selection_tags = [
102102
{
103103
type = "STRINGEQUALS"
@@ -111,70 +111,70 @@ module "backup" {
111111
}
112112
]
113113
},
114-
114+
115115
"production-volumes" = {
116116
resources = var.volume_resources
117-
117+
118118
conditions = {
119119
"string_equals" = {
120-
"aws:ResourceTag/Environment" = var.environment
121-
"aws:ResourceTag/SecurityLevel" = "high"
120+
"aws:ResourceTag/Environment" = var.environment
121+
"aws:ResourceTag/SecurityLevel" = "high"
122122
"aws:ResourceTag/BackupRequired" = "true"
123123
}
124124
}
125125
}
126126
}
127-
127+
128128
# Security notifications
129129
notifications = {
130130
backup_vault_events = [
131131
"BACKUP_JOB_STARTED",
132132
"BACKUP_JOB_COMPLETED",
133133
"BACKUP_JOB_FAILED",
134-
"RESTORE_JOB_STARTED",
134+
"RESTORE_JOB_STARTED",
135135
"RESTORE_JOB_COMPLETED",
136136
"RESTORE_JOB_FAILED"
137137
]
138138
sns_topic_arn = aws_sns_topic.backup_notifications.arn
139139
}
140-
140+
141141
# Security-focused tagging
142142
tags = local.common_tags
143143
}
144144

145145
# Cross-region backup vault for disaster recovery
146146
resource "aws_backup_vault" "cross_region_vault" {
147147
count = var.enable_cross_region_backup ? 1 : 0
148-
148+
149149
name = "${local.vault_name}-cross-region"
150150
kms_key_arn = aws_kms_key.cross_region_backup_key[0].arn
151-
151+
152152
# Enable vault lock for compliance
153153
dynamic "lock_configuration" {
154154
for_each = var.enable_vault_lock ? [1] : []
155-
155+
156156
content {
157157
changeable_for_days = var.vault_lock_changeable_days
158158
min_retention_days = var.min_retention_days
159159
max_retention_days = var.max_retention_days
160160
}
161161
}
162-
162+
163163
tags = merge(local.common_tags, {
164164
Name = "${local.vault_name}-cross-region"
165165
Type = "cross-region"
166166
})
167-
167+
168168
provider = aws.cross_region
169169
}
170170

171171
# SNS topic for security notifications
172172
resource "aws_sns_topic" "backup_notifications" {
173173
name = "${var.project_name}-${var.environment}-backup-notifications"
174-
174+
175175
# Enable encryption for SNS
176176
kms_master_key_id = aws_kms_key.sns_key.arn
177-
177+
178178
tags = merge(local.common_tags, {
179179
Name = "${var.project_name}-${var.environment}-backup-notifications"
180180
})
@@ -183,7 +183,7 @@ resource "aws_sns_topic" "backup_notifications" {
183183
# SNS topic policy for backup service
184184
resource "aws_sns_topic_policy" "backup_notifications" {
185185
arn = aws_sns_topic.backup_notifications.arn
186-
186+
187187
policy = jsonencode({
188188
Version = "2012-10-17"
189189
Statement = [
@@ -210,7 +210,7 @@ resource "aws_sns_topic_policy" "backup_notifications" {
210210
# Email subscription for notifications
211211
resource "aws_sns_topic_subscription" "backup_notifications_email" {
212212
count = var.notification_email != "" ? 1 : 0
213-
213+
214214
topic_arn = aws_sns_topic.backup_notifications.arn
215215
protocol = "email"
216216
endpoint = var.notification_email

0 commit comments

Comments
 (0)