Added condition to clear checkov error CKV_AWS_358

[SteveLinden]

One error in the checkov report to be cleared. The change here should clear the issue. The actual checkov error is CKV_aws_358: "Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization"

This PR includes a validation for the github_repositories variable to give us a combination of flexibility in accepted GitHub Organizations, and control over which Orgs we all. At present, we're only allowing ministryofjustice but the conditional validation can be expanded as needed.

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             144.1µs
  parsing              1.352811ms
  adaptation           155.301µs
  checks               21.25076ms
  total                22.902972ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     20
  files read           6

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 30, Failed checks: 1, Skipped checks: 5

Check: CKV_AWS_358: "Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization"
	FAILED for resource: module.module_test.aws_iam_policy_document.github_oidc_assume_role
	File: /iam.tf:7-39
	Calling File: /test/unit-test/main.tf:2-8
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-358.html

		7  | data "aws_iam_policy_document" "github_oidc_assume_role" {
		8  |   version = "2012-10-17"
		9  | 
		10 |   statement {
		11 |     effect  = "Allow"
		12 |     actions = ["sts:AssumeRoleWithWebIdentity"]
		13 | 
		14 |     principals {
		15 |       type = "Federated"
		16 |       identifiers = [
		17 |         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
		18 |       ]
		19 |     }
		20 | 
		21 |     condition {
		22 |       test     = "StringEquals"
		23 |       variable = "token.actions.githubusercontent.com:aud"
		24 |       values   = ["sts.amazonaws.com"]
		25 |     }
		26 | 
		27 |     condition {
		28 |       test     = "StringLike"
		29 |       variable = "token.actions.githubusercontent.com:sub"
		30 |       values   = formatlist("repo:%s", var.github_repositories)
		31 |     }
		32 |     # Addition to clear checkov error
		33 |     condition {
		34 |       test     = "StringLike"
		35 |       variable = "token.actions.githubusercontent.com:sub"
		36 |       values   = "repo:ministryofjustice/*"
		37 |     }
		38 |   }
		39 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             117.009µs
  parsing              1.179592ms
  adaptation           141.211µs
  checks               14.337322ms
  total                15.775134ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     20
  files read           6

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 31, Failed checks: 0, Skipped checks: 5

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

[davidkelliott]

Hey, could you add a bit of detail into the PR as to what the original error was and how this is being resolved please? Also I think you can remove the comment as it doesn't really add anything.

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             117.8µs
  parsing              1.156911ms
  adaptation           134.501µs
  checks               19.531187ms
  total                20.940399ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     20
  files read           6

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 31, Failed checks: 0, Skipped checks: 5

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             97.6µs
  parsing              2.326676ms
  adaptation           138.298µs
  checks               12.53417ms
  total                15.096744ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     20
  files read           6

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Failed

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 30, Failed checks: 1, Skipped checks: 5

Check: CKV_AWS_358: "Ensure GitHub Actions OIDC trust policies only allows actions from a specific known organization"
	FAILED for resource: module.module_test.aws_iam_policy_document.github_oidc_assume_role
	File: /iam.tf:7-33
	Calling File: /test/unit-test/main.tf:2-8
	Guide: https://docs.paloaltonetworks.com/content/techdocs/en_US/prisma/prisma-cloud/prisma-cloud-code-security-policy-reference/aws-policies/aws-iam-policies/iam-358.html

		7  | data "aws_iam_policy_document" "github_oidc_assume_role" {
		8  |   version = "2012-10-17"
		9  | 
		10 |   statement {
		11 |     effect  = "Allow"
		12 |     actions = ["sts:AssumeRoleWithWebIdentity"]
		13 | 
		14 |     principals {
		15 |       type = "Federated"
		16 |       identifiers = [
		17 |         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:oidc-provider/token.actions.githubusercontent.com"
		18 |       ]
		19 |     }
		20 | 
		21 |     condition {
		22 |       test     = "StringEquals"
		23 |       variable = "token.actions.githubusercontent.com:aud"
		24 |       values   = ["sts.amazonaws.com"]
		25 |     }
		26 | 
		27 |     condition {
		28 |       test     = "StringLike"
		29 |       variable = "token.actions.githubusercontent.com:sub"
		30 |       values   = formatlist("repo:%s", var.github_repositories)
		31 |     }
		32 |   }
		33 | }

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=1

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

[github-actions]

TFSEC Scan Success

Show Output

*****************************

TFSEC will check the following folders:
.

*****************************

Running TFSEC in .
Excluding the following checks: AWS089, AWS099, AWS009, AWS097, AWS018

======================================================
tfsec is joining the Trivy family

tfsec will continue to remain available 
for the time being, although our engineering 
attention will be directed at Trivy going forward.

You can read more here: 
https://github.com/aquasecurity/tfsec/discussions/1994
======================================================
  timings
  ──────────────────────────────────────────
  disk i/o             107.001µs
  parsing              1.033917ms
  adaptation           118.502µs
  checks               8.033427ms
  total                9.292847ms

  counts
  ──────────────────────────────────────────
  modules downloaded   0
  modules processed    1
  blocks processed     20
  files read           6

  results
  ──────────────────────────────────────────
  passed               0
  ignored              0
  critical             0
  high                 0
  medium               0
  low                  0


No problems detected!

tfsec_exitcode=0

Checkov Scan Success

Show Output

*****************************

Checkov will check the following folders:
.

*****************************

Running Checkov in .
Excluding the following checks: CKV_GIT_1
terraform scan results:

Passed checks: 30, Failed checks: 0, Skipped checks: 6

github_actions scan results:

Passed checks: 176, Failed checks: 0, Skipped checks: 0


checkov_exitcode=0

CTFLint Scan Success

Show Output

*****************************

Setting default tflint config...
Running tflint --init...
Installing `terraform` plugin...
Installed `terraform` (source: github.com/terraform-linters/tflint-ruleset-terraform, version: 0.2.1)
tflint will check the following folders:
.

*****************************

Running tflint in .
tflint_exitcode=0

[ewastempel]

I’ve checked the current repos in all the env files and none of them belongs to an org outside of the ministryofjustice, so this should be sufficient for now (but may need updating in the future