Re-enable and configure Checkov security scanning

[lgallard]

Re-enable Checkov Security Scanning

Context

Checkov security scanning was temporarily disabled in the CI/CD pipeline due to policy violations that don't necessarily apply to all use cases of this Terraform module.

Specific Issues That Led to Disabling

The following Checkov checks were failing:

1. CKV_AWS_304: "Ensure Secrets Manager secrets should be rotated within 90 days"

   • Location: main.tf:223 (secret rotation resource)
   • Issue: Enforces mandatory 90-day rotation policy

2. CKV_AWS_7: "Ensure rotation for customer created CMKs is enabled"

   • Location: examples/ephemeral/ephemeral-for-each-example.tf:42
   • Issue: Requires KMS key rotation to be explicitly enabled

Action Items

Phase 1: Analysis

• Review each failing Checkov rule to determine if it's appropriate for this module
• Identify which checks should be:
  • Fixed by updating the code
  • Skipped with proper justification
  • Made conditional based on use case

Phase 2: Implementation

• For legitimate security concerns: Update code to pass checks
• For policy recommendations: Add proper skip configuration with comments explaining why
• Consider creating module variables to allow users to opt-in to stricter security policies

Phase 3: Re-integration

• Add Checkov back to .github/workflows/test.yml
• Configure appropriate skip rules with documentation
• Test that CI/CD pipeline passes with new configuration

Benefits of Re-enabling

• Automated security policy compliance checking
• Catches potential security misconfigurations early
• Maintains security best practices for Terraform modules
• Provides security guidance for module users

Current Workaround

tfsec security scanning remains enabled and provides core security vulnerability detection.