Removing tf trace logging from the scheduled baseline (#6014)

* trivy_exclude unknown

* add checkov skips for fleet manager policy

* Removing tf trace logging from the scheduled baseline

* Reverting trivy exclude input

---------

Co-authored-by: Aaron Robinson <aaron.robinson@digital.justice.gov.uk>

.github/workflows/scheduled-baseline.yml

@@ -15,7 +15,6 @@ on:
 
 env:
   TF_IN_AUTOMATION: true
-  TF_LOG: "TRACE"
   AWS_REGION: "eu-west-2"
   ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }}
 

.github/workflows/terraform-static-analysis.yml

@@ -31,8 +31,7 @@ jobs:
       with:
         scan_type: changed
         trivy_severity: HIGH,CRITICAL
-     #   tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
-        trivy_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
+        tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits
         checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39
         tflint_exclude: terraform_unused_declarations
         tflint_call_module_type: none

terraform/environments/bootstrap/delegate-access/policies.tf

@@ -818,6 +818,8 @@ resource "aws_iam_policy" "fleet-manager-policy" {
 
 
 data "aws_iam_policy_document" "fleet-manager-document" {
+  #checkov:skip=CKV_AWS_111 Needs to access multiple resources and the policy is attached to a role that is scoped to a specific account
+  #checkov:skip=CKV_AWS_356 Needs to access multiple resources and the policy is attached to a role that is scoped to a specific account
   override_policy_documents = [data.aws_iam_policy_document.common_statements.json]
   statement {
     sid    = "FleetManagerAllow"