Skip to content

Commit

Permalink
Apply suggestions from code review
Browse files Browse the repository at this point in the history
  • Loading branch information
@davemooreuws @raksiv
davemooreuws authored and raksiv committed Jan 14, 2025
1 parent 8665f76 commit bf8e80f
Showing 1 changed file with 4 additions and 8 deletions.
12 changes: 4 additions & 8 deletions docs/guides/terraform/checkov.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ Checkov can be used with any Nitric project that you intend to deploy with Terra

Let's start by creating a new project from a Nitric template, this will provide a base to start building the API.

```typescript
```bash
nitric new my-profile-api ts-starter
```

Expand All @@ -48,7 +48,7 @@ nitric start

## Deploying to AWS with a Terraform provider

To deploy your application with Terraform you'll need to use Nitric's Terraform providers. You can learn more about using Nitric with Terraform here.
To deploy your application with Terraform you'll need to use Nitric's Terraform providers. You can learn more about using Nitric with Terraform [here](/providers/terraform).

```bash
nitric stack new dev aws-tf
Expand Down Expand Up @@ -97,10 +97,6 @@ checkov -f tfplan.json

Checkov comes with some great default checks, however, they do need to be aligned with the requirements of your application.

Here is an example:

The Checkov policy ‘CKV_AWS_136‘ checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). Thus, Checkov will fail if it doesn’t see a KMS key reference, even though your ECR repository is still encrypted by SSE-S3 automatically.

This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don’t explicitly configure a KMS key.
For example the Checkov policy ‘CKV_AWS_136‘ checks specifically for SSE-KMS using a customer-managed KMS key (or at least AWS-managed KMS key). This finding might not always be relevant because, by default, Amazon ECR encrypts container images at rest using Amazon S3 server-side encryption (SSE-S3). That means your images are always encrypted, even if you don’t explicitly configure a KMS key.

If you have any concerns, please don't hesitate to [reach out](https://discord.com/invite/Webemece5C).
If you have any concerns, please don't hesitate to [reach out](https://nitric.io/chat).

0 comments on commit bf8e80f

Please sign in to comment.