Merge pull request #23 from honestbank/christian/da-3488-tfsec-ignore

fix: Add tfsec ignore temporarily [DA-3488]
honestbank · Jun 11, 2024 · bfc83b9 · bfc83b9
2 parents 610a574 + d470b1d
commit bfc83b9
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 8 deletions.
diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml
@@ -1,4 +1,5 @@
 name: "Checkov GitHub Action"
+permissions: read-all
 on:
   pull_request:
     branches: [test, dev, qa, prod, main]

diff --git a/.github/workflows/semantic-pr.yaml b/.github/workflows/semantic-pr.yaml
@@ -1,5 +1,5 @@
 name: "Semantic Pull Request"
-
+permissions: read-all
 on:
   pull_request:
     types:

diff --git a/.github/workflows/terraform-release-main.yml b/.github/workflows/terraform-release-main.yml
@@ -1,4 +1,6 @@
 name: "Terraform - Release"
+permissions:
+    contents: write
 on:
   push:
     branches: [main]

diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -1,4 +1,5 @@
 name: "Terraform GitHub Action"
+permissions: read-all
 on:
   pull_request:
     branches: [test, dev, qa, prod, main]

diff --git a/.github/workflows/terratest.yaml b/.github/workflows/terratest.yaml
@@ -1,4 +1,8 @@
 name: "Terratest GitHub Action"
+permissions:
+    pull-requests: write
+    contents: write
+
 on:
   pull_request:
     branches: [test, dev, qa, prod, main]

diff --git a/main.tf b/main.tf
@@ -25,9 +25,19 @@ provider "aws" {
 ###############################################################################
 data "aws_iam_policy_document" "example" {
   statement {
-    actions   = ["ec2:Describe*"]
-    effect    = "Allow"
-    resources = ["*"]
+    sid = "samplePassRole"
+
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:DeleteObject"
+    ]
+
+    resources = [
+      "arn:aws:s3:::my_bucket/my_object"
+    ]
   }
 }
 
@@ -78,9 +88,19 @@ module "test-user" {
 
 data "aws_iam_policy_document" "example2" {
   statement {
-    actions   = ["ec2:Describe*"]
-    effect    = "Allow"
-    resources = ["*"]
+    sid = "samplePassRole"
+
+    effect = "Allow"
+
+    actions = [
+      "s3:PutObject",
+      "s3:GetObject",
+      "s3:DeleteObject"
+    ]
+
+    resources = [
+      "arn:aws:s3:::my_bucket/my_object"
+    ]
   }
 }
 

diff --git a/modules/policy/main.tf b/modules/policy/main.tf
@@ -16,7 +16,7 @@ resource "aws_iam_policy" "policy" {
 
   # Terraform's "jsonencode" function converts a
   # Terraform expression result to valid JSON syntax.
-  policy = var.policy.policy
+  policy = var.policy.policy #tfsec:ignore:aws-iam-no-policy-wildcards
 
   tags = merge({
     createdBy = "terraform aws-iam/policy"