Merge pull request #513 from mdr-engineering/feature/jc_MSOCI-2182_tfsec_ignore_EC2_no_public_egress_sgr

Ignore comments for tfsec ID - aws-ec2-no-public-egress-sgr

thirdparty/terraform-aws-github-runner/modules/runners/main.tf

@@ -53,7 +53,9 @@ data "aws_ami" "runner" {
   owners = var.ami_owners
 }
 
+# tfsec:ignore:aws-ec2-enforce-http-token-imds Saltstack doesn't use s3 sources appropriately; see https://github.com/saltstack/salt/issues/60668
 resource "aws_launch_template" "runner" {
+  # checkov:skip=CKV_AWS_79: see tfsec explanation
   name = "${var.prefix}-action-runner"
 
   dynamic "block_device_mappings" {
@@ -141,6 +143,10 @@ resource "aws_launch_template" "runner" {
   update_default_version = true
 }
 
+#----------------------------------------------------------------------------
+# GH Actions Security Group
+#----------------------------------------------------------------------------
+# tfsec:ignore:aws-ec2-no-public-egress-sgr GH runner requires /0 egress access
 resource "aws_security_group" "runner_sg" {
   count       = var.enable_managed_runner_security_group ? 1 : 0
   name_prefix = "${var.prefix}-github-actions-runner-sg"
@@ -148,6 +154,9 @@ resource "aws_security_group" "runner_sg" {
 
   vpc_id = var.vpc_id
 
+#----------------------------------------------------------------------------
+# EGRESS
+#----------------------------------------------------------------------------
   dynamic "egress" {
     for_each = var.egress_rules
     iterator = each