diff --git a/.github/workflows/scheduled-baseline.yml b/.github/workflows/scheduled-baseline.yml index 4ccaf8a2b..a6074fb14 100644 --- a/.github/workflows/scheduled-baseline.yml +++ b/.github/workflows/scheduled-baseline.yml @@ -15,7 +15,6 @@ on: env: TF_IN_AUTOMATION: true - TF_LOG: "TRACE" AWS_REGION: "eu-west-2" ENVIRONMENT_MANAGEMENT: ${{ secrets.MODERNISATION_PLATFORM_ENVIRONMENTS }} diff --git a/.github/workflows/terraform-static-analysis.yml b/.github/workflows/terraform-static-analysis.yml index 19e659fef..4e0e15821 100644 --- a/.github/workflows/terraform-static-analysis.yml +++ b/.github/workflows/terraform-static-analysis.yml @@ -31,8 +31,7 @@ jobs: with: scan_type: changed trivy_severity: HIGH,CRITICAL - # tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits - trivy_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits + tfsec_exclude: aws-ssm-secret-use-customer-key,github-repositories-private,aws-vpc-no-excessive-port-access,github-repositories-require-signed-commits checkov_exclude: CKV_GIT_1,CKV_AWS_126,CKV2_AWS_38,CKV2_AWS_39 tflint_exclude: terraform_unused_declarations tflint_call_module_type: none diff --git a/terraform/environments/bootstrap/delegate-access/policies.tf b/terraform/environments/bootstrap/delegate-access/policies.tf index 11b2b04f9..3e0caf6fd 100644 --- a/terraform/environments/bootstrap/delegate-access/policies.tf +++ b/terraform/environments/bootstrap/delegate-access/policies.tf @@ -818,6 +818,8 @@ resource "aws_iam_policy" "fleet-manager-policy" { data "aws_iam_policy_document" "fleet-manager-document" { + #checkov:skip=CKV_AWS_111 Needs to access multiple resources and the policy is attached to a role that is scoped to a specific account + #checkov:skip=CKV_AWS_356 Needs to access multiple resources and the policy is attached to a role that is scoped to a specific account override_policy_documents = [data.aws_iam_policy_document.common_statements.json] statement { sid = "FleetManagerAllow"