Merge pull request #482 from mdr-engineering/feature/jc_MSOCI-2182_tfsec_DynamoDB_Code_Alignment

Updates DynamoDB code to mirror console | tfsec/checkov updates

base/teleport-single-instance/dynamo.tf

@@ -7,12 +7,15 @@ cert generation and renewal.
 */
 
 // DynamoDB table for storing cluster state
+#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
 resource "aws_dynamodb_table" "teleport" {
   name           = var.instance_name
   read_capacity  = 10
   write_capacity = 10
   hash_key       = "HashKey"
   range_key      = "FullPath"
+  billing_mode   = "PROVISIONED"
+
   server_side_encryption {
     kms_key_arn = aws_kms_key.s3.arn
     enabled     = true
@@ -35,6 +38,10 @@ resource "aws_dynamodb_table" "teleport" {
     type = "S"
   }
 
+  point_in_time_recovery {
+    enabled = true
+  }
+
   stream_enabled   = "true"
   stream_view_type = "NEW_IMAGE"
 
@@ -47,12 +54,14 @@ resource "aws_dynamodb_table" "teleport" {
 }
 
 // DynamoDB table for storing cluster events
+#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
 resource "aws_dynamodb_table" "teleport_events" {
   name           = "${var.instance_name}-events"
   read_capacity  = 10
   write_capacity = 10
   hash_key       = "SessionID"
   range_key      = "EventIndex"
+  billing_mode   = "PROVISIONED"
 
   server_side_encryption {
     kms_key_arn = aws_kms_key.s3.arn
@@ -95,6 +104,10 @@ resource "aws_dynamodb_table" "teleport_events" {
     type = "N"
   }
 
+  point_in_time_recovery {
+    enabled = true
+  }
+
   ttl {
     attribute_name = "Expires"
     enabled        = true
@@ -104,13 +117,20 @@ resource "aws_dynamodb_table" "teleport_events" {
 }
 
 // DynamoDB table for simple locking mechanism
+#checkov:skip=CKV2_AWS_16:Auto Scaling not needed at this time
 resource "aws_dynamodb_table" "locks" {
   name           = "${var.instance_name}-locks"
   read_capacity  = 5
   write_capacity = 5
   hash_key       = "Lock"
+  billing_mode   = "PROVISIONED"
 
-  billing_mode = "PROVISIONED"
+  #checkov:skip=CKV_AWS_119:Encrypted by AWS Owned key config'd via console
+  #tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
+  #tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
+  server_side_encryption {
+    enabled = false
+  }
 
   lifecycle {
     ignore_changes = [
@@ -124,6 +144,11 @@ resource "aws_dynamodb_table" "locks" {
     type = "S"
   }
 
+  #checkov:skip=CKV_AWS_28:No need for PiTR here
+  point_in_time_recovery {
+    enabled = false
+  }
+
   ttl {
     attribute_name = "Expires"
     enabled        = true

base/vault/dynamodb.tf

@@ -4,6 +4,13 @@ resource "aws_dynamodb_table" "vault" {
   hash_key     = "Path"
   range_key    = "Key"
 
+  #checkov:skip=CKV_AWS_119:Encrypted by AWS Owned key config'd via console
+  #tfsec:ignore:aws-dynamodb-table-customer-key AWS Owned key config'd via console
+  #tfsec:ignore:aws-dynamodb-enable-at-rest-encryption False positive
+  server_side_encryption {
+    enabled = false
+  }
+
   attribute {
     name = "Path"
     type = "S"