From ef05809156c7403e8d034106abe214db534e2e00 Mon Sep 17 00:00:00 2001
From: Ruben Aleman <ruben.aleman@makandra.de>
Date: Thu, 15 Jun 2023 11:07:27 +0200
Subject: [PATCH] chore: fix checkov

---
 modules/RDSOSMetrics_loggroup/data.tf | 1 +
 modules/RDSOSMetrics_loggroup/main.tf | 1 +
 modules/eks/kms.tf                    | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/modules/RDSOSMetrics_loggroup/data.tf b/modules/RDSOSMetrics_loggroup/data.tf
index 4702102..89ea1e2 100644
--- a/modules/RDSOSMetrics_loggroup/data.tf
+++ b/modules/RDSOSMetrics_loggroup/data.tf
@@ -5,6 +5,7 @@ data "aws_region" "current" {}
 data "aws_iam_policy_document" "RDSOS_KMS" {
   #checkov:skip=CKV_AWS_109:This is required for a working KMS key policy
   #checkov:skip=CKV_AWS_111:This is required for a working KMS key policy
+  #checkov:skip=CKV_AWS_356:Does not apply here because KMS key policies only apply to the key itself.
   count     = var.create_kms_key ? 1 : 0
   policy_id = "key-policy-cloudwatch"
   statement {
diff --git a/modules/RDSOSMetrics_loggroup/main.tf b/modules/RDSOSMetrics_loggroup/main.tf
index 84fb5ea..459469a 100644
--- a/modules/RDSOSMetrics_loggroup/main.tf
+++ b/modules/RDSOSMetrics_loggroup/main.tf
@@ -4,6 +4,7 @@ locals {
 }
 
 resource "aws_cloudwatch_log_group" "this" {
+  #checkov:skip=CKV_AWS_338:Logs retention time does not always have to be at least 1 year
   name              = "RDSOSMetrics"
   retention_in_days = var.log_rentention_days
   kms_key_id        = local.kms_key_id
diff --git a/modules/eks/kms.tf b/modules/eks/kms.tf
index 3088cfc..6ae9061 100644
--- a/modules/eks/kms.tf
+++ b/modules/eks/kms.tf
@@ -1,6 +1,7 @@
 data "aws_iam_policy_document" "eks_ebs" {
   #checkov:skip=CKV_AWS_111: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint)
   #checkov:skip=CKV_AWS_109: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint)
+  #checkov:skip=CKV_AWS_356:Does not apply here because KMS key policies only apply to the key itself.
   statement {
     sid       = "Enable IAM User Permissions"
     actions   = ["kms:*"]
@@ -97,6 +98,7 @@ resource "aws_kms_alias" "eks_logging" {
 data "aws_iam_policy_document" "eks_logging" {
   #checkov:skip=CKV_AWS_111: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-write-access-without-constraint)
   #checkov:skip=CKV_AWS_109: Does not apply here because KMS key policies only apply to the key itself. (https://docs.bridgecrew.io/docs/ensure-iam-policies-do-not-allow-permissions-management-resource-exposure-without-constraint)
+  #checkov:skip=CKV_AWS_356:Does not apply here because KMS key policies only apply to the key itself.
   policy_id = "key-policy-cloudwatch"
   statement {
     sid = "Enable IAM User Permissions"