Merge pull request #64 from ONS-Innovation/KEH-1281-linting-update

TotalDwarf03 · web-flow · commit aea9ff2f03f8 · 2025-08-22T12:31:46.000+01:00
fix(lint): address temporary linting exceptions
diff --git a/.checkov.yml b/.checkov.yml
@@ -21,6 +21,7 @@ skip-check:
   # SPP use the same pattern so it's not a concern for us
   - CKV_AWS_382
 
-  # These ignores are TEMPORARY. They will be resolved in the future.
-  - CKV_AWS_108
+  # Ignore adding code-signing to Lambda.
+  # It is not needed here since our Lambda functions use container
+  # images over uploading .zip files for layers.
   - CKV_AWS_272
diff --git a/terraform/data.tf b/terraform/data.tf
@@ -39,7 +39,9 @@ data "aws_iam_policy_document" "lambda_logging" {
       "logs:PutLogEvents",
     ]
 
-    resources = ["arn:aws:logs:*:*:*"] #trivy:ignore:AVD-AWS-0057
+    resources = [
+      "${aws_cloudwatch_log_group.loggroup.arn}:*"
+    ]
   }
 }
 
@@ -70,7 +72,7 @@ data "aws_iam_policy_document" "lambda_secret_manager_policy" {
     ]
 
     resources = [
-      "*"
+      "arn:aws:secretsmanager:*:*:secret:${var.aws_secret_name}*"
     ]
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,9 @@ data "aws_iam_policy_document" "lambda_logging" {`
`39`	`39`	`"logs:PutLogEvents",`
`40`	`40`	`]`
`41`	`41`
`42`		`- resources = ["arn:aws:logs:::*"] #trivy:ignore:AVD-AWS-0057`
	`42`	`+ resources = [`
	`43`	`+ "${aws_cloudwatch_log_group.loggroup.arn}:*"`
	`44`	`+ ]`
`43`	`45`	`}`
`44`	`46`	`}`
`45`	`47`
`@@ -70,7 +72,7 @@ data "aws_iam_policy_document" "lambda_secret_manager_policy" {`
`70`	`72`	`]`
`71`	`73`
`72`	`74`	`resources = [`
`73`		`- "*"`
	`75`	`+ "arn:aws:secretsmanager:::secret:${var.aws_secret_name}*"`
`74`	`76`	`]`
`75`	`77`	`}`
`76`	`78`	`}`