feat(api): FTRS-0000 Invoke mtls perf test from action

ManithaSrinivasa · ManithaSrinivasa · commit f04a548bf8f8 · 2026-02-20T12:34:07.000Z
diff --git a/infrastructure/modules/ods-mock-api/main.tf b/infrastructure/modules/ods-mock-api/main.tf
@@ -137,6 +137,9 @@ resource "aws_api_gateway_deployment" "ods_mock" {
 }
 
 resource "aws_api_gateway_stage" "ods_mock" {
+  # checkov:skip=CKV2_AWS_29: Mock API for dev testing, WAF protection not required
+  # checkov:skip=CKV2_AWS_51: Using API key authentication instead of client certificates for mock API simplicity
+  # checkov:skip=CKV2_AWS_4: False positive, we are configuring custom logging
   deployment_id = aws_api_gateway_deployment.ods_mock.id
   rest_api_id   = aws_api_gateway_rest_api.ods_mock.id
   stage_name    = "dev"
@@ -194,6 +197,8 @@ resource "aws_api_gateway_method_settings" "ods_mock" {
 }
 
 resource "aws_cloudwatch_log_group" "api_gateway_log_group" {
+  # checkov:skip=CKV_AWS_158: Justification: Using AWS default encryption.
+  # checkov:skip=CKV_AWS_338: Justification: Non-production do not require long term log retention.
   name              = "/aws/api-gateway/${var.api_gateway_name}"
   retention_in_days = var.api_gateway_log_group_retention_days
   log_group_class   = var.api_gateway_log_group_class
diff --git a/infrastructure/modules/shield/sns.tf b/infrastructure/modules/shield/sns.tf
@@ -1,6 +1,4 @@
 # SNS Topic for Shield DDoS alerts
-#trivy:ignore:AVD-AWS-0136
-#trivy:ignore:AVD-AWS-0095
 resource "aws_sns_topic" "shield_ddos_alerts" {
   #checkov:skip=CKV_AWS_26: Revisit with the encryption work
   name = "${var.resource_prefix}-${var.resource_name}-shield-ddos-alerts"
diff --git a/infrastructure/stacks/etl_ods/security_group.tf b/infrastructure/stacks/etl_ods/security_group.tf
@@ -10,7 +10,7 @@ resource "aws_security_group" "etl_ods_lambda_security_group" {
   vpc_id = data.aws_vpc.vpc.id
 }
 
-# trivy:ignore:aws-vpc-no-public-egress-sgr : TODO https://nhsd-jira.digital.nhs.uk/browse/FTRS-386
+
 resource "aws_vpc_security_group_egress_rule" "etl_ods_allow_443" {
   count = local.is_primary_environment ? 1 : 0
 
diff --git a/infrastructure/stacks/ui/dynamodb.tf b/infrastructure/stacks/ui/dynamodb.tf
@@ -1,4 +1,4 @@
-#trivy:ignore:AVD-AWS-0024
+
 module "ui_session_store" {
   count  = local.stack_enabled
   source = "../../modules/dynamodb"

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ resource "aws_security_group" "etl_ods_lambda_security_group" {`
`10`	`10`	`vpc_id = data.aws_vpc.vpc.id`
`11`	`11`	`}`
`12`	`12`
`13`		`-# trivy:ignore:aws-vpc-no-public-egress-sgr : TODO https://nhsd-jira.digital.nhs.uk/browse/FTRS-386`
	`13`	`+`
`14`	`14`	`resource "aws_vpc_security_group_egress_rule" "etl_ods_allow_443" {`
`15`	`15`	`count = local.is_primary_environment ? 1 : 0`
`16`	`16`
Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-#trivy:ignore:AVD-AWS-0024`
	`1`	`+`
`2`	`2`	`module "ui_session_store" {`
`3`	`3`	`count = local.stack_enabled`
`4`	`4`	`source = "../../modules/dynamodb"`