fix/SA-251 - trivy errors and cloudwatch retention default (#39)

* fix: resetting default cloudwatch retention to infinite and trivy ignores on module
appvia · Sep 11, 2024 · 6e84469 · 6e84469
1 parent 7decd91
commit 6e84469
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -9,7 +9,6 @@ The purpose of this module is to provide a building block for processing and del
 ## Usage
 
 ```hcl
-module "notifications" {
 module "notifications" {
   source = "github.com/appvia/terraform-aws-notifications?ref=main"
 
@@ -124,7 +123,7 @@ Frequently (quartley at least) check and upgrade:
 | <a name="input_allowed_aws_principals"></a> [allowed\_aws\_principals](#input\_allowed\_aws\_principals) | Optional, list of AWS accounts able to publish via the SNS topic (when creating topic) e.g 123456789012 | `list(string)` | `[]` | no |
 | <a name="input_allowed_aws_services"></a> [allowed\_aws\_services](#input\_allowed\_aws\_services) | Optional, list of AWS services able to publish via the SNS topic (when creating topic) e.g cloudwatch.amazonaws.com | `list(string)` | `[]` | no |
 | <a name="input_cloudwatch_log_group_kms_key_id"></a> [cloudwatch\_log\_group\_kms\_key\_id](#input\_cloudwatch\_log\_group\_kms\_key\_id) | The KMS key id to use for encrypting the cloudwatch log group (default is none) | `string` | `null` | no |
-| <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | The retention period for the cloudwatch log group (for lambda function logs) in days | `string` | `"3"` | no |
+| <a name="input_cloudwatch_log_group_retention"></a> [cloudwatch\_log\_group\_retention](#input\_cloudwatch\_log\_group\_retention) | The retention period for the cloudwatch log group (for lambda function logs) in days | `string` | `"0"` | no |
 | <a name="input_create_sns_topic"></a> [create\_sns\_topic](#input\_create\_sns\_topic) | Whether to create an SNS topic for notifications | `bool` | `false` | no |
 | <a name="input_email"></a> [email](#input\_email) | The configuration for Email notifications | <pre>object({<br>    addresses = optional(list(string))<br>    # The email addresses to send notifications to<br>  })</pre> | `null` | no |
 | <a name="input_enable_slack"></a> [enable\_slack](#input\_enable\_slack) | To send to slack, set to true | `bool` | `false` | no |

diff --git a/modules/notify/main.tf b/modules/notify/main.tf
@@ -78,6 +78,8 @@ locals {
   )
 }
 
+#trivy:ignore:avd-aws-0059
+#trivy:ignore:avd-aws-0057
 data "aws_iam_policy_document" "lambda" {
   for_each = toset(["slack", "teams"])
 
@@ -102,6 +104,7 @@ resource "aws_cloudwatch_log_group" "lambda" {
   tags = merge(var.tags, var.cloudwatch_log_group_tags)
 }
 
+#trivy:ignore:avd-aws-0095
 resource "aws_sns_topic" "this" {
   count = var.create_sns_topic && var.create ? 1 : 0
 
@@ -182,6 +185,7 @@ resource "local_file" "notification_emblems_python" {
 #   ]
 # }
 
+#trivy:ignore:avd-aws-0067
 module "lambda" {
   for_each = toset(["slack", "teams"])
 

diff --git a/variables.tf b/variables.tf
@@ -66,7 +66,7 @@ variable "sns_topic_policy" {
 variable "cloudwatch_log_group_retention" {
   description = "The retention period for the cloudwatch log group (for lambda function logs) in days"
   type        = string
-  default     = "3"
+  default     = "0"
 }
 
 variable "cloudwatch_log_group_kms_key_id" {