Attempt to fix tfsec error

[SteveLinden]

No description provided.

[github-actions]

TFSEC Scan Failed

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================

Results #1-2 HIGH IAM policy document uses sensitive action 'logs:CreateLogGroup' on wildcarded resource '1e00ea61-4d4f-48ab-a7e9-f0ab5da560c2:*' (2 similar results)
────────────────────────────────────────────────────────────────────────────────
  main.tf:30
────────────────────────────────────────────────────────────────────────────────
   20    data "aws_iam_policy_document" "default" {
   ..  
   30  [     resources = ["${aws_cloudwatch_log_group.default.arn}:*"]
   ..  
   42    }
────────────────────────────────────────────────────────────────────────────────
  Individual Causes
  - main.tf:20-42 (data.aws_iam_policy_document.default) 2 instances
────────────────────────────────────────────────────────────────────────────────
          ID aws-iam-no-policy-wildcards
      Impact Overly permissive policies may grant access to sensitive resources
  Resolution Specify the exact permissions required, and to which resources they should apply instead of using wildcards.

  More Information
  - https://aquasecurity.github.io/tfsec/latest/checks/aws/iam/no-policy-wildcards/
  - https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document
────────────────────────────────────────────────────────────────────────────────


  timings
  ──────────────────────────────────────────
  disk i/o             81.698µs
  parsing              1.230077ms
  adaptation           210.495µs
  checks               7.340153ms
  total                8.862423ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     14
  files read           4

  results
  ──────────────────────────────────────────
  passed               13
  ignored              2
  critical             0
  high                 2
  medium               0
  low                  0

  13 passed, 2 ignored, 2 potential problem(s) detected.

tfsec_exitcode=1

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 33, Failed checks: 0, Skipped checks: 7

github_actions scan results:

Passed checks: 147, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Generate Terraform README docs)
	File: /.github/workflows/documentation.yml:0-1

checkov_exitcode=1

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

[davidkelliott]

What's the thinking behind this change?