Home Esplora Aiuto
Registrati Accedi
AFS
/
xdr-terraform-modules
2
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Sfoglia il codice sorgente

Merge pull request #482 from mdr-engineering/feature/jc_MSOCI-2182_tfsec_DynamoDB_Code_Alignment

Updates DynamoDB code to mirror console | tfsec/checkov updates
Jeremy Cooper 3 anni fa
parent
79b9205454 885b639f15
commit
cb885f84fd
2 ha cambiato i file con 33 aggiunte e 1 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 26 1
      base/teleport-single-instance/dynamo.tf
  2. 7 0
      base/vault/dynamodb.tf

+ 26 - 1
base/teleport-single-instance/dynamo.tf
Vedi File 

@@ -7,12 +7,15 @@ cert generation and renewal.
 
 */
 
 
 // DynamoDB table for storing cluster state
 
+#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
 
 resource "aws_dynamodb_table" "teleport" {
 
   name           = var.instance_name
 
   read_capacity  = 10
 
   write_capacity = 10
 
   hash_key       = "HashKey"
 
   range_key      = "FullPath"
 
+  billing_mode   = "PROVISIONED"
 
+
 
   server_side_encryption {
 
     kms_key_arn = aws_kms_key.s3.arn
 
     enabled     = true
 
@@ -35,6 +38,10 @@ resource "aws_dynamodb_table" "teleport" {
 
     type = "S"
 
   }
 
 
+  point_in_time_recovery {
 
+    enabled = true
 
+  }
 
+
 
   stream_enabled   = "true"
 
   stream_view_type = "NEW_IMAGE"
 
 
@@ -47,12 +54,14 @@ resource "aws_dynamodb_table" "teleport" {
 
 }
 
 
 // DynamoDB table for storing cluster events
 
+#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
 
 resource "aws_dynamodb_table" "teleport_events" {
 
   name           = "${var.instance_name}-events"
 
   read_capacity  = 10
 
   write_capacity = 10
 
   hash_key       = "SessionID"
 
   range_key      = "EventIndex"
 
+  billing_mode   = "PROVISIONED"
 
 
   server_side_encryption {
 
     kms_key_arn = aws_kms_key.s3.arn
 
@@ -95,6 +104,10 @@ resource "aws_dynamodb_table" "teleport_events" {
 
     type = "N"
 
   }
 
 
+  point_in_time_recovery {
 
+    enabled = true
 
+  }
 
+
 
   ttl {
 
     attribute_name = "Expires"
 
     enabled        = true
 
@@ -104,13 +117,20 @@ resource "aws_dynamodb_table" "teleport_events" {
 
 }
 
 
 // DynamoDB table for simple locking mechanism
 
+#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
 
 resource "aws_dynamodb_table" "locks" {
 
   name           = "${var.instance_name}-locks"
 
   read_capacity  = 5
 
   write_capacity = 5
 
   hash_key       = "Lock"
 
+  billing_mode   = "PROVISIONED"
 
 
-  billing_mode = "PROVISIONED"
 
+  #checkov:skip=CKV_AWS_119:Encrypted by AWS Owned key config'd via console
 
+  #tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
 
+  #tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
 
+  server_side_encryption {
 
+    enabled = false
 
+  }
 
 
   lifecycle {
 
     ignore_changes = [
 
@@ -124,6 +144,11 @@ resource "aws_dynamodb_table" "locks" {
 
     type = "S"
 
   }
 
 
+  #checkov:skip=CKV_AWS_28:No need for PiTR here
 
+  point_in_time_recovery {
 
+    enabled = false
 
+  }
 
+
 
   ttl {
 
     attribute_name = "Expires"
 
     enabled        = true

+ 7 - 0
base/vault/dynamodb.tf
Vedi File 

@@ -4,6 +4,13 @@ resource "aws_dynamodb_table" "vault" {
 
   hash_key     = "Path"
 
   range_key    = "Key"
 
 
+  #checkov:skip=CKV_AWS_119:Encrypted by AWS Owned key config'd via console
 
+  #tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
 
+  #tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
 
+  server_side_encryption {
 
+    enabled = false
 
+  }
 
+
 
   attribute {
 
     name = "Path"
 
     type = "S"