From fa5c17e94cf648e8476055429085cdf0e2022ec7 Mon Sep 17 00:00:00 2001
From: Kieran Pritchard <kieran.pritchard@ons.gov.uk>
Date: Fri, 22 Aug 2025 12:25:52 +0100
Subject: [PATCH] fix(lint): address temporary linting exceptions

- Limit IAM Resource Access (CKV_AWS_108)
- Code signing can be ignored (CLV_AWS_272)
---
 .checkov.yml      | 5 +++--
 terraform/data.tf | 6 ++++--
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.checkov.yml b/.checkov.yml
index 3472d9a..57dcf87 100644
--- a/.checkov.yml
+++ b/.checkov.yml
@@ -21,6 +21,7 @@ skip-check:
   # SPP use the same pattern so it's not a concern for us
   - CKV_AWS_382
 
-  # These ignores are TEMPORARY. They will be resolved in the future.
-  - CKV_AWS_108
+  # Ignore adding code-signing to Lambda.
+  # It is not needed here since our Lambda functions use container
+  # images over uploading .zip files for layers.
   - CKV_AWS_272
diff --git a/terraform/data.tf b/terraform/data.tf
index 8e5061f..751e8ac 100644
--- a/terraform/data.tf
+++ b/terraform/data.tf
@@ -39,7 +39,9 @@ data "aws_iam_policy_document" "lambda_logging" {
       "logs:PutLogEvents",
     ]
 
-    resources = ["arn:aws:logs:*:*:*"] #trivy:ignore:AVD-AWS-0057
+    resources = [
+      "${aws_cloudwatch_log_group.loggroup.arn}:*"
+    ]
   }
 }
 
@@ -70,7 +72,7 @@ data "aws_iam_policy_document" "lambda_secret_manager_policy" {
     ]
 
     resources = [
-      "*"
+      "arn:aws:secretsmanager:*:*:secret:${var.aws_secret_name}*"
     ]
   }
 }