CKV2_AWS_5: aws_spot_fleet_request launch_specification

[vvatlin]

Hello.

Maybe it's possible somehow not have errors for such configuration: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/spot_fleet_request

resource "aws_spot_fleet_request" "cheap_compute" {
  iam_fleet_role      = "arn:aws:iam::ID:role/aws-ec2-spot-fleet-tagging-role"
  spot_price          = "1.0"
  allocation_strategy = "capacityOptimized"
  target_capacity     = 0

  excess_capacity_termination_policy = "NoTermination"

  dynamic "launch_specification" {
    for_each = {
      for ec2_setting in local.ec2_settings : "${ec2_setting.instance_type}.${ec2_setting.subnet_id}" => ec2_setting
    }
    content {
      instance_type          = launch_specification.value.instance_type
      ami                    = data.aws_ami.jenkins_ami.id
      key_name               = var.ssh_key_name
      subnet_id              = launch_specification.value.subnet_id
      vpc_security_group_ids = [aws_security_group.allow_ssh_jenkins_master.id]
   }
 }
}

Security group here is attached to launch_specification, but checkov still has an error that it's not.

[gruebel]

hey @vvatlin thanks fro reaching out. Nice catch, it looks like we don't have aws_spot_fleet_request in the list of possible security group connections. Are you interested in contributing the addition? You would need to do something similar like in this PR #3995

[vvatlin]

Hi @gruebel Yes, sure let me try. I'll create a PR