From 421236e52a0e3950c182b3372acfb5bef1171291 Mon Sep 17 00:00:00 2001
From: Thanh Ha <thanh.ha@linuxfoundation.org>
Date: Wed, 20 Nov 2024 15:43:15 -0500
Subject: [PATCH] Do not disable CKV_AWS_28 completely (#304)

This check is generally useful as a reminder to setup backups. However
the DynamoDB used by ALI is only a cache so does not need to be backed
up in this case. This change re-enables the check however disables it
for this specific instance.

Signed-off-by: Thanh Ha <thanh.ha@linuxfoundation.org>
---
 .checkov.yml                    | 1 -
 modules/backend-state/dynamo.tf | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.checkov.yml b/.checkov.yml
index 50612dd..4d0317c 100644
--- a/.checkov.yml
+++ b/.checkov.yml
@@ -17,7 +17,6 @@ skip-check:
   - CKV_AWS_145
   - CKV_AWS_144
   - CKV2_AWS_16
-  - CKV_AWS_28
 
 # Configure Checkov's log level (useful for debugging)
 # log-level: DEBUG  # Available options: DEBUG, INFO, WARN, ERROR
diff --git a/modules/backend-state/dynamo.tf b/modules/backend-state/dynamo.tf
index 2c0f691..583a3f8 100644
--- a/modules/backend-state/dynamo.tf
+++ b/modules/backend-state/dynamo.tf
@@ -1,4 +1,5 @@
 resource "aws_dynamodb_table" "terraform_state_lock" {
+  #checkov:skip=CKV_AWS_28:ALI uses this as a cache and does not need backup
   count =  data.external.terraform_state_bucket_exists.result.exists == "true" ? 0 : 1
   name           = "${var.dynamo_table_name}-${var.project}-${var.environment}"
   read_capacity  = 1
@@ -9,4 +10,4 @@ resource "aws_dynamodb_table" "terraform_state_lock" {
     name = "LockID"
     type = "S"
   }
-}
\ No newline at end of file
+}