Fix: Bridgecrew Failed Policies (#85)

* Disble bridgecrew check for VPC Flow Logs on VPC, because CloudPosse has modules in place to handle VPC Flow Log enablement. * Skip Bridgecrew check on aws_default_security_group ingresses/egresses as the default security group implementation does not include any ingress/egress rules and is inherently secure. * Add BC_AWS_NETWORKING_4 supression to aws_vpc resource, which is needed for that resource as well and not just the aws_default_security_group resource.
cloudposse · May 17, 2021 · 18d7992 · 18d7992
1 parent 17fcb3c
commit 18d7992
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -266,6 +266,7 @@ Like this project? Please give it a ★ on [our GitHub](https://github.com/cloud
 Are you using this project or any of our other projects? Consider [leaving a testimonial][testimonial]. =)
 
 
+
 ## Related Projects
 
 Check out these related projects.
@@ -276,8 +277,6 @@ Check out these related projects.
 - [terraform-aws-multi-az-subnets](https://github.com/cloudposse/terraform-aws-multi-az-subnets) - Terraform module for multi-AZ public and private subnets provisioning
 - [terraform-aws-named-subnets](https://github.com/cloudposse/terraform-aws-named-subnets) - Terraform module for named subnets provisioning.
 
-
-
 ## Help
 
 **Got a question?** We got answers.

diff --git a/main.tf b/main.tf
@@ -14,7 +14,9 @@ module "label" {
 }
 
 resource "aws_vpc" "default" {
-  count                            = local.enabled ? 1 : 0
+  count = local.enabled ? 1 : 0
+  #bridgecrew:skip=BC_AWS_LOGGING_9:VPC Flow Logs are meant to be enabled by terraform-aws-vpc-flow-logs-s3-bucket and/or terraform-aws-cloudwatch-flow-logs
+  #bridgecrew:skip=BC_AWS_NETWORKING_4:See aws_default_security_group.default for comments
   cidr_block                       = var.cidr_block
   instance_tenancy                 = var.instance_tenancy
   enable_dns_hostnames             = var.enable_dns_hostnames
@@ -27,7 +29,8 @@ resource "aws_vpc" "default" {
 
 # If `aws_default_security_group` is not defined, it would be created implicitly with access `0.0.0.0/0`
 resource "aws_default_security_group" "default" {
-  count  = local.enable_default_security_group_with_custom_rules
+  count = local.enable_default_security_group_with_custom_rules
+  #bridgecrew:skip=BC_AWS_NETWORKING_4:This Bridgecrew policy checks for explicit ingress/egress blocks, however this default security group implementation does not add any inbound or outbound rules and is therefore inherently secure.
   vpc_id = join("", aws_vpc.default.*.id)
 
   tags = merge(module.label.tags, { Name = "Default Security Group" })