Merge pull request #1397 from CMSgov/QPPSE-1461

Resolve Checkov error Part 2
CMSgov · Dec 7, 2023 · 7c8720a · 7c8720a
2 parents d0ccf0d + 893c755
commit 7c8720a
Show file tree

Hide file tree

Showing 5 changed files with 74 additions and 65 deletions.
diff --git a/.github/workflows/checkov-tf.yml b/.github/workflows/checkov-tf.yml
@@ -4,6 +4,10 @@ on:
   pull_request:
     branches:
       - develop
+
+env:
+  CHECKOV_OUTPUT_CODE_LINE_LIMIT: 255
+
 jobs:
   build:
 

diff --git a/infrastructure/new-relic/main.tf b/infrastructure/new-relic/main.tf
@@ -10,14 +10,18 @@ terraform {
     required_providers {
         aws = {
             source = "hashicorp/aws"
-            version = "=3.70.0"
+            version = "=4.55.0"
         }
     }
-    required_version = "1.0.0"
+    required_version = "1.5.0"
+}
+
+locals {
+  myregion = "us-east-1"
 }
 
 provider "aws" {
-  region  = "us-east-1"
+  region  = local.myregion
 }
 
 data "aws_caller_identity" "current" {}
@@ -57,7 +61,7 @@ resource "aws_iam_policy" "new_relic_budget_policy" {
     {
       "Effect": "Allow",
       "Action": ["budgets:ViewBudget"],
-      "Resource": "*"
+      "Resource": "arn:aws:${local.myregion}:*:*:*"
     }
   ]
 }

diff --git a/infrastructure/terraform/modules/iam.tf b/infrastructure/terraform/modules/iam.tf
@@ -342,7 +342,7 @@ resource "aws_iam_policy" "conversiontool_svc_policy" {
 				"iam:GetRole",
 				"iam:PassRole"
 			],
-			"Resource": "*"
+			"Resource": "arn:aws:ecs:${var.region}:*:*"
 		},
 		{
 			"Sid": "AllowS3",
@@ -384,7 +384,7 @@ resource "aws_iam_policy" "conversiontool_svc_policy" {
 			"Sid": "ECRauthorization",
 			"Effect": "Allow",
 			"Action": "ecr:GetAuthorizationToken",
-			"Resource": "*"
+			"Resource": "arn:aws:ecr:${var.region}:*:*"
 		},
 		{
 			"Sid": "ECRPermissions",

diff --git a/infrastructure/terraform/modules/openid-connect/gha_openid.tf b/infrastructure/terraform/modules/openid-connect/gha_openid.tf
@@ -2,10 +2,10 @@ terraform {
     required_providers {
         aws = {
             source = "hashicorp/aws"
-            version = "=3.70.0"
+            version = "=4.55.0"
         }
     }
-    required_version = "1.0.0"
+    required_version = "1.5.0"
 }
 
 provider "aws" {
@@ -70,58 +70,58 @@ resource "aws_iam_policy" "github_actions_conversiontool_policy" {
         "iam:GetRole",
         "iam:PassRole"
 			],
-			"Resource": "*"
+			"Resource": "arn:aws:ecs:${var.region}:*:*"
 		},
-        {
-            "Action": [
-                "acm:ListCertificates",
-                "acm:ExportCertificate",
-                "acm:GetCertificate",
-                "acm:DescribeCertificate"
-            ],
-            "Effect": "Allow",
-            "Resource": ["arn:aws:acm:${var.region}:${data.aws_caller_identity.current.account_id}:certificate/*"],
-            "Sid": "ACMPermissions"
-        },
-        {
-            "Sid": "ECRauthorization",
-            "Effect": "Allow",
-            "Action": "ecr:GetAuthorizationToken",
-            "Resource": "*"
-        },
+    {
+        "Action": [
+            "acm:ListCertificates",
+            "acm:ExportCertificate",
+            "acm:GetCertificate",
+            "acm:DescribeCertificate"
+        ],
+        "Effect": "Allow",
+        "Resource": ["arn:aws:acm:${var.region}:${data.aws_caller_identity.current.account_id}:certificate/*"],
+        "Sid": "ACMPermissions"
+    },
+    {
+        "Sid": "ECRauthorization",
+        "Effect": "Allow",
+        "Action": "ecr:GetAuthorizationToken",
+        "Resource": "arn:aws:ecr:${var.region}:*:*"
+    },
 		{
-            "Sid": "ECRPermissions",
-            "Effect": "Allow",
-            "Action": [
-                "ecr:GetDownloadUrlForLayer",
-                "ecr:BatchGetImage",
-                "ecr:CompleteLayerUpload",
-                "ecr:UploadLayerPart",
-                "ecr:InitiateLayerUpload",
-                "ecr:BatchCheckLayerAvailability",
-                "ecr:PutImage"
-            ],
-            "Resource":[
-                "arn:aws:ecr:us-east-1:003384571330:repository/new-qpp-conversion-tool",
-                "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/dev",
-                "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/devpre",
-                "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/impl",
-                "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/prod"
-            ] 
-        },
-        {
-            "Action": [
-                "ssm:GetParameters",
-                "ssm:PutParameter",
-                "ssm:GetParameterHistory",
-                "ssm:GetParametersByPath",
-                "ssm:GetParameter",
-                "ssm:DescribeParameters"
-            ],
-            "Effect": "Allow",
-            "Resource": ["arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/qppar-sf/*"],
-            "Sid": "SSMPermissions"
-        }
+        "Sid": "ECRPermissions",
+        "Effect": "Allow",
+        "Action": [
+            "ecr:GetDownloadUrlForLayer",
+            "ecr:BatchGetImage",
+            "ecr:CompleteLayerUpload",
+            "ecr:UploadLayerPart",
+            "ecr:InitiateLayerUpload",
+            "ecr:BatchCheckLayerAvailability",
+            "ecr:PutImage"
+        ],
+        "Resource":[
+            "arn:aws:ecr:us-east-1:003384571330:repository/new-qpp-conversion-tool",
+            "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/dev",
+            "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/devpre",
+            "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/impl",
+            "003384571330.dkr.ecr.us-east-1.amazonaws.com/qppsf/conversion-tool/prod"
+        ] 
+    },
+    {
+        "Action": [
+            "ssm:GetParameters",
+            "ssm:PutParameter",
+            "ssm:GetParameterHistory",
+            "ssm:GetParametersByPath",
+            "ssm:GetParameter",
+            "ssm:DescribeParameters"
+        ],
+        "Effect": "Allow",
+        "Resource": ["arn:aws:ssm:${var.region}:${data.aws_caller_identity.current.account_id}:parameter/qppar-sf/*"],
+        "Sid": "SSMPermissions"
+    }
 	]
 })
 }

diff --git a/infrastructure/terraform/modules/s3.tf b/infrastructure/terraform/modules/s3.tf
@@ -156,15 +156,16 @@ resource "aws_s3_bucket_lifecycle_configuration" "log_bucket" {
   # }
 }
 
-resource "aws_s3_bucket_ownership_controls" "log_bucket" {
-  bucket = aws_s3_bucket.log_bucket.id
-  rule {
-    object_ownership = "BucketOwnerPreferred"
-  }
-}
+# QPPSE-1461
+# resource "aws_s3_bucket_ownership_controls" "log_bucket" {
+#   bucket = aws_s3_bucket.log_bucket.id
+#   rule {
+#     object_ownership = "BucketOwnerPreferred"
+#   }
+# }
 
 resource "aws_s3_bucket_acl" "log_bucket" {
-  depends_on = [aws_s3_bucket_ownership_controls.log_bucket]
+  # depends_on = [aws_s3_bucket_ownership_controls.log_bucket]
 
   bucket = aws_s3_bucket.log_bucket.id