refactor: remove time provider and add skip comments for ALB logging

alismx · alismx · commit 8c6733320b43 · 2026-03-31T12:48:52.000-07:00
- Remove unused hashicorp/time TerraForm provider dependency
- Add checkov and trivy skip comments for CKV_AWS_145 and AVD-AWS-0132 on
  ALB logging S3 bucket (expected - ALB logging is not compatible with
  customer managed KMS keys)

Related: alis/fix-logging-path
diff --git a/_variable.tf b/_variable.tf
@@ -317,9 +317,9 @@ variable "disable_ecr" {
 }
 
 variable "enable_enhanced_ecr_registry_scanning" {
-  type = bool
+  type        = bool
   description = "Flag to enable enhanced ecr registry scanning, defaults to false"
-  default = false
+  default     = false
 }
 variable "tags" {
   type        = map(string)
diff --git a/alb.tf b/alb.tf
@@ -25,7 +25,7 @@ resource "aws_alb" "ecs" {
     data.aws_iam_policy_document.s3_logging,
     aws_s3_bucket_server_side_encryption_configuration.logging,
   ]
-  tags       = local.tags
+  tags = local.tags
 }
 
 resource "aws_alb_target_group" "this" {
diff --git a/enable_ecr.tf b/enable_ecr.tf
@@ -39,7 +39,7 @@ resource "aws_ecr_repository" "this" {
 }
 
 resource "aws_ecr_registry_scanning_configuration" "configuration" {
-  count        = var.disable_ecr == false && var.enable_enhanced_ecr_registry_scanning == true ? 1 : 0
+  count     = var.disable_ecr == false && var.enable_enhanced_ecr_registry_scanning == true ? 1 : 0
   scan_type = "ENHANCED"
 
   rule {
diff --git a/provider.tf b/provider.tf
@@ -16,10 +16,6 @@ terraform {
       source  = "hashicorp/random"
       version = "~> 3.6.3"
     }
-    time = {
-      source  = "hashicorp/time"
-      version = "~> 0.13.1"
-    }
   }
   required_version = "~> 1.9.0"
 }
diff --git a/s3.tf b/s3.tf
@@ -55,12 +55,14 @@ resource "aws_s3_bucket_public_access_block" "logging" {
   restrict_public_buckets = true
 }
 
+# checkov:skip=CKV_AWS_145:ALB logging is not fully compatible with customer managed keys
+# trivy:ignore:AVD-AWS-0132
 resource "aws_s3_bucket_server_side_encryption_configuration" "logging" {
   bucket = aws_s3_bucket.logging.bucket
   rule {
     # CANNOT USER CUSTOMER MANAGED KEYS WITH ALB LOGGING
     apply_server_side_encryption_by_default {
-      sse_algorithm     = "AES256"
+      sse_algorithm = "AES256"
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -317,9 +317,9 @@ variable "disable_ecr" {`
`317`	`317`	`}`
`318`	`318`
`319`	`319`	`variable "enable_enhanced_ecr_registry_scanning" {`
`320`		`- type = bool`
	`320`	`+ type = bool`
`321`	`321`	`description = "Flag to enable enhanced ecr registry scanning, defaults to false"`
`322`		`- default = false`
	`322`	`+ default = false`
`323`	`323`	`}`
`324`	`324`	`variable "tags" {`
`325`	`325`	`type = map(string)`
Original file line number	Diff line number	Diff line change
`@@ -25,7 +25,7 @@ resource "aws_alb" "ecs" {`
`25`	`25`	`data.aws_iam_policy_document.s3_logging,`
`26`	`26`	`aws_s3_bucket_server_side_encryption_configuration.logging,`
`27`	`27`	`]`
`28`		`- tags = local.tags`
	`28`	`+ tags = local.tags`
`29`	`29`	`}`
`30`	`30`
`31`	`31`	`resource "aws_alb_target_group" "this" {`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,7 @@ resource "aws_ecr_repository" "this" {`
`39`	`39`	`}`
`40`	`40`
`41`	`41`	`resource "aws_ecr_registry_scanning_configuration" "configuration" {`
`42`		`- count = var.disable_ecr == false && var.enable_enhanced_ecr_registry_scanning == true ? 1 : 0`
	`42`	`+ count = var.disable_ecr == false && var.enable_enhanced_ecr_registry_scanning == true ? 1 : 0`
`43`	`43`	`scan_type = "ENHANCED"`
`44`	`44`
`45`	`45`	`rule {`
Original file line number	Diff line number	Diff line change
`@@ -16,10 +16,6 @@ terraform {`
`16`	`16`	`source = "hashicorp/random"`
`17`	`17`	`version = "~> 3.6.3"`
`18`	`18`	`}`
`19`		`- time = {`
`20`		`- source = "hashicorp/time"`
`21`		`- version = "~> 0.13.1"`
`22`		`- }`
`23`	`19`	`}`
`24`	`20`	`required_version = "~> 1.9.0"`
`25`	`21`	`}`
Original file line number	Diff line number	Diff line change
`@@ -55,12 +55,14 @@ resource "aws_s3_bucket_public_access_block" "logging" {`
`55`	`55`	`restrict_public_buckets = true`
`56`	`56`	`}`
`57`	`57`
	`58`	`+# checkov:skip=CKV_AWS_145:ALB logging is not fully compatible with customer managed keys`
	`59`	`+# trivy:ignore:AVD-AWS-0132`
`58`	`60`	`resource "aws_s3_bucket_server_side_encryption_configuration" "logging" {`
`59`	`61`	`bucket = aws_s3_bucket.logging.bucket`
`60`	`62`	`rule {`
`61`	`63`	`# CANNOT USER CUSTOMER MANAGED KEYS WITH ALB LOGGING`
`62`	`64`	`apply_server_side_encryption_by_default {`
`63`		`- sse_algorithm = "AES256"`
	`65`	`+ sse_algorithm = "AES256"`
`64`	`66`	`}`
`65`	`67`	`}`
`66`	`68`	`}`