update tf files and workflow

.github/workflows/release.yml

@@ -52,7 +52,7 @@ jobs:
       run:
         working-directory: src
     container:
-      image: returntocorp/semgrep
+      image: semgrep/semgrep
     steps:
       - uses: actions/checkout@v4
       - run: semgrep ci --config "p/ci" --config "p/python" --config "p/owasp-top-ten" --sarif --output=semgrep.sarif

.github/workflows/semgrep.yml

@@ -33,14 +33,14 @@ jobs:
       # Fetch project source
       - uses: actions/checkout@v4
       # Run the "semgrep ci" command on the command line of the docker image.
-      - run: semgrep ci
+      - run: semgrep ci --config "p/ci" --config "p/python" --config "p/owasp-top-ten" --sarif --output=semgrep.sarif
         env:
           # Connect to Semgrep Cloud Platform through your SEMGREP_APP_TOKEN.
           # Generate a token from Semgrep Cloud Platform > Settings
           # and add it to your GitHub secrets.
           SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: semgrep.sarif
         if: always()

terraform/main.tf

@@ -91,61 +91,50 @@ resource "aws_iam_role" "iam_key_creator" {
   tags                  = var.tags
 }
 
-data "aws_iam_policy_document" "iam_key_creator_policy" {
-  # checkov:skip=CKV_AWS_109: Ensure IAM policies does not allow permissions management / resource exposure without constraints
-  # checkov:skip=CKV_AWS_110: Ensure IAM policies does not allow privilege escalation
-  # checkov:skip=CKV_AWS_107: Ensure IAM policies does not allow credentials exposure
-  statement {
-    effect = "Allow"
-    actions = [
-      "iam:ListUserTags",
-      "iam:ListAccessKeys",
-      "iam:ListUsers",
-      "iam:CreateAccessKey",
-      "iam:ListAccountAliases"
-    ]
-    resources = ["*"]
-  }
-
-  statement {
-    effect = "Allow"
-    actions = [
-      "dynamodb:PutItem"
-    ]
-    resources = [aws_dynamodb_table.iam_key_rotator.arn]
-  }
-
-  statement {
-    effect = "Allow"
-    actions = [
-      "ssm:GetParameter"
-    ]
-    resources = ["arn:aws:ssm:${var.region}:${local.account_id}:parameter/ikr/*"]
-  }
-
-  dynamic "statement" {
-    for_each = var.encrypt_key_pair == true ? [0] : []
-    content {
-      effect    = "Allow"
-      actions   = ["ssm:PutParameter"]
-      resources = ["arn:aws:ssm:${var.region}:${local.account_id}:parameter/ikr/*"]
-    }
-  }
-
-  dynamic "statement" {
-    for_each = var.mail_client == "ses" ? [0] : []
-    content {
-      effect    = "Allow"
-      actions   = ["ses:SendEmail"]
-      resources = ["*"]
-    }
-  }
-}
-
 resource "aws_iam_role_policy" "iam_key_creator_policy" {
-  name   = "${var.key_creator_role_name}-policy"
-  role   = aws_iam_role.iam_key_creator.id
-  policy = data.aws_iam_policy_document.iam_key_creator_policy.json
+  name = "${var.key_creator_role_name}-policy"
+  role = aws_iam_role.iam_key_creator.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = flatten([
+      [{
+        Effect = "Allow"
+        Action = [
+          "iam:ListUserTags",
+          "iam:ListAccessKeys",
+          "iam:ListUsers",
+          "iam:CreateAccessKey",
+          "iam:ListAccountAliases"
+        ]
+        Resources = ["*"]
+        },
+        {
+          Effect = "Allow"
+          Action = [
+            "dynamodb:PutItem"
+          ]
+          Resources = [aws_dynamodb_table.iam_key_rotator.arn]
+        },
+        {
+          Effect = "Allow"
+          Action = [
+            "ssm:GetParameter"
+          ]
+          Resources = ["arn:aws:ssm:${var.region}:${local.account_id}:parameter/ikr/*"]
+      }],
+      var.encrypt_key_pair ? [{
+        Effect    = "Allow"
+        Action    = ["ssm:PutParameter"]
+        Resources = ["arn:aws:ssm:${var.region}:${local.account_id}:parameter/ikr/*"]
+      }] : [],
+      var.mail_client == "ses" ? [{
+        Effect    = "Allow"
+        Action    = ["ses:SendEmail"]
+        Resources = ["*"]
+      }] : []
+    ])
+  })
 }
 
 resource "aws_iam_role_policy_attachment" "iam_key_creator_logs" {
@@ -192,6 +181,7 @@ resource "aws_ssm_parameter" "smtp_password" {
 }
 
 resource "aws_cloudwatch_log_group" "iam_key_creator" {
+  # checkov:skip=CKV_AWS_338: Retention period is user dependant
   name              = "/aws/lambda/${var.key_creator_function_name}"
   retention_in_days = var.cw_log_group_retention
   kms_key_id        = var.cw_logs_kms_key_arn
@@ -252,60 +242,51 @@ resource "aws_iam_role" "iam_key_destructor" {
   tags                  = var.tags
 }
 
-data "aws_iam_policy_document" "iam_key_destructor_policy" {
-  # checkov:skip=CKV_AWS_109: Ensure IAM policies does not allow permissions management / resource exposure without constraints
-  statement {
-    effect = "Allow"
-    actions = [
-      "iam:DeleteAccessKey",
-      "iam:ListAccountAliases"
-    ]
-    resources = ["*"]
-  }
-
-  statement {
-    effect = "Allow"
-    actions = [
-      "dynamodb:PutItem"
-    ]
-    resources = [aws_dynamodb_table.iam_key_rotator.arn]
-  }
-
-  statement {
-    effect = "Allow"
-    actions = [
-      "dynamodb:DescribeStream",
-      "dynamodb:GetRecords",
-      "dynamodb:GetShardIterator",
-      "dynamodb:ListShards",
-      "dynamodb:ListStreams"
-    ]
-    resources = [aws_dynamodb_table.iam_key_rotator.stream_arn]
-  }
-
-  dynamic "statement" {
-    for_each = var.encrypt_key_pair == true ? [0] : []
-    content {
-      effect    = "Allow"
-      actions   = ["ssm:DeleteParameter"]
-      resources = ["arn:aws:ssm:${var.region}:${local.account_id}:parameter/ikr/secret/iam/*"]
-    }
-  }
-
-  dynamic "statement" {
-    for_each = var.mail_client == "ses" ? [0] : []
-    content {
-      effect    = "Allow"
-      actions   = ["ses:SendEmail"]
-      resources = ["*"]
-    }
-  }
-}
-
 resource "aws_iam_role_policy" "iam_key_destructor_policy" {
-  name   = "${var.key_destructor_role_name}-policy"
-  role   = aws_iam_role.iam_key_destructor.id
-  policy = data.aws_iam_policy_document.iam_key_destructor_policy.json
+  name = "${var.key_destructor_role_name}-policy"
+  role = aws_iam_role.iam_key_destructor.id
+
+  policy = jsonencode({
+    Version = "2012-10-17"
+    Statement = flatten([
+      [{
+        Effect = "Allow"
+        Action = [
+          "iam:DeleteAccessKey",
+          "iam:ListAccountAliases"
+        ]
+        Resources = ["*"]
+        },
+        {
+          Effect = "Allow"
+          Action = [
+            "dynamodb:PutItem"
+          ]
+          Resources = [aws_dynamodb_table.iam_key_rotator.arn]
+        },
+        {
+          Effect = "Allow"
+          Action = [
+            "dynamodb:DescribeStream",
+            "dynamodb:GetRecords",
+            "dynamodb:GetShardIterator",
+            "dynamodb:ListShards",
+            "dynamodb:ListStreams"
+          ]
+          Resources = [aws_dynamodb_table.iam_key_rotator.stream_arn]
+      }],
+      var.encrypt_key_pair ? [{
+        Effect    = "Allow"
+        Action    = ["ssm:DeleteParameter"]
+        Resources = ["arn:aws:ssm:${var.region}:${local.account_id}:parameter/ikr/secret/iam/*"]
+      }] : [],
+      var.mail_client == "ses" ? [{
+        Effect    = "Allow"
+        Action    = ["ses:SendEmail"]
+        Resources = ["*"]
+      }] : []
+    ])
+  })
 }
 
 resource "aws_iam_role_policy_attachment" "iam_key_destructor_logs" {
@@ -321,6 +302,7 @@ resource "aws_lambda_event_source_mapping" "iam_key_destructor" {
 }
 
 resource "aws_cloudwatch_log_group" "iam_key_destructor" {
+  # checkov:skip=CKV_AWS_338: Retention period is user dependant
   name              = "/aws/lambda/${var.key_destructor_function_name}"
   retention_in_days = var.cw_log_group_retention
   kms_key_id        = var.cw_logs_kms_key_arn