Merge pull request #303 from ministryofjustice/fix/secure-code-analysis

Address secure code analysis alerts

.github/workflows/documentation.yml

@@ -5,8 +5,13 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   docs:
+    permissions:
+      contents: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

.github/workflows/terraform-static-analysis.yml

@@ -32,6 +32,7 @@ jobs:
         scan_type: single
         tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018
         checkov_exclude: CKV_GIT_1
+        tflint_exclude: terraform_unused_declarations
 
   terraform-static-analysis-full-scan:
     permissions:
@@ -52,3 +53,4 @@ jobs:
         scan_type: full
         tfsec_exclude: AWS089, AWS099, AWS009, AWS097, AWS018
         checkov_exclude: CKV_GIT_1
+        tflint_exclude: terraform_unused_declarations

test/unit-test/main.tf

@@ -34,10 +34,13 @@ data "aws_iam_policy_document" "topic" {
 
   }
 }
+
+#AWS managed KMS key is fine for unit tests
+#tfsec:ignore:aws-sns-topic-encryption-use-cmk
 resource "aws_sns_topic" "topic" {
-  #checkov:skip=CKV_AWS_26: "Encryption not required as topic only available during test run"
-  name   = "s3-event-notification-topic"
-  policy = data.aws_iam_policy_document.topic.json
+  name              = "s3-event-notification-topic"
+  kms_master_key_id = "alias/aws/sns"
+  policy            = data.aws_iam_policy_document.topic.json
 }
 
 module "s3_with_notification" {

test/unit-test/versions.tf

@@ -4,6 +4,10 @@ terraform {
       version = "~> 5.0"
       source  = "hashicorp/aws"
     }
+    http = {
+      source  = "hashicorp/http"
+      version = "~> 3.4"
+    }
   }
   required_version = ">= 1.0.1"
 }