Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

terraform_plan - modules - for_each / count issues #6113

Open
Greg05000 opened this issue Mar 22, 2024 · 3 comments · May be fixed by #6793
Open

terraform_plan - modules - for_each / count issues #6113

Greg05000 opened this issue Mar 22, 2024 · 3 comments · May be fixed by #6793
Labels
graph

Comments

@Greg05000
Copy link

Describe the issue
Hi,
Some AWS checks failed when resource is created with for_each or count element in modules.
Checks example :

  • CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
  • CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"

Cmd :
checkov -f tfplan2.json --check "CKV2_AWS_6,CKV_AWS_145" --framework "terraform_plan" --repo-root-for-plan-enrichment .

Result :

Passed checks: 0, Failed checks: 2, Skipped checks: 0

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
        FAILED for resource: module.aws_s3[0].aws_s3_bucket.this
        File: ../modules/aws-s3/main.tf
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

18 | resource "aws_s3_bucket" "this" {
19 |   provider = aws.alternate
20 |   bucket   = var.name
21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
        FAILED for resource: module.aws_s3[0].aws_s3_bucket.this
        File: ../modules/aws-s3/main.tf
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

18 | resource "aws_s3_bucket" "this" {
19 |   provider = aws.alternate
20 |   bucket   = var.name
21 | }

Examples
main.tf

module "aws_s3" {
  count       = 1
  source      = "../modules/aws-s3"
  name        = "cheeeeck"
  kms_key_arn = "********"
  providers = {
    aws.alternate = aws.sap_env
  }
}

or

module "aws_s3" {
  source      = "../modules/aws-s3"
  for_each    = { "ceckov" = "" }
  name        = each.key
  kms_key_arn = "********"
  providers = {
    aws.alternate = aws.sap_env
  }
}

../modules/aws-s3/main.tf

resource "aws_s3_bucket" "this" {
  provider = aws.alternate
  bucket   = var.name
}

resource "aws_s3_bucket_server_side_encryption_configuration" "cmk" {
  provider = aws.alternate
  bucket = aws_s3_bucket.this.bucket
  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = var.kms_key_arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "block_public" {
  provider = aws.alternate
  bucket = aws_s3_bucket.this.bucket
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Desktop (please complete the following information):

  • OS: Ubuntu 22.04
  • Checkov Version: 3.2.43

Additional context
Checks passed if i use module for one resource :

  • key like => module.aws_s3.aws_s3_bucket.this will be created

Checks failed with for_each/count :

  • key like => module.aws_s3["ceckov"].aws_s3_bucket.this will be created
  • key like => module.aws_s3[0].aws_s3_bucket.this will be created

TF Plan example :

    "planned_values": {
        "root_module": {
            "child_modules": [{
                "resources": [{
                    "address": "module.aws_s3[0].aws_s3_bucket.this",
                    "mode": "managed",
                    "type": "aws_s3_bucket",
                    "name": "this",
                    "schema_version": 0,
                    "values": {
                        "bucket": "cheeeeck",
                        "force_destroy": false,
                        "tags": null,
                        "timeouts": null
                    },
                    "sensitive_values": {
                        "cors_rule": [],
                        "grant": [],
                        "lifecycle_rule": [],
                        "logging": [],
                        "object_lock_configuration": [],
                        "replication_configuration": [],
                        "server_side_encryption_configuration": [],
                        "tags_all": {},
                        "versioning": [],
                        "website": []
                    }
                }, {
                    "address": "module.aws_s3[0].aws_s3_bucket_public_access_block.block_public",
                    "mode": "managed",
                    "type": "aws_s3_bucket_public_access_block",
                    "name": "block_public",
                    "schema_version": 0,
                    "values": {
                        "block_public_acls": true,
                        "block_public_policy": true,
                        "bucket": "cheeeeck",
                        "ignore_public_acls": true,
                        "restrict_public_buckets": true
                    },
                    "sensitive_values": {}
                }, {
                    "address": "module.aws_s3[0].aws_s3_bucket_server_side_encryption_configuration.cmk",
                    "mode": "managed",
                    "type": "aws_s3_bucket_server_side_encryption_configuration",
                    "name": "cmk",
                    "schema_version": 0,
                    "values": {
                        "bucket": "cheeeeck",
                        "expected_bucket_owner": null,
                        "rule": [{
                            "apply_server_side_encryption_by_default": [{
                                "kms_master_key_id": "**************************",
                                "sse_algorithm": "aws:kms"
                            }],
                            "bucket_key_enabled": null
                        }]
                    },
                    "sensitive_values": {
                        "rule": [{
                            "apply_server_side_encryption_by_default": [{}]
                        }]
                    }
                }],
                "address": "module.aws_s3[0]"
            }]
        }
    },

Thanks
@sourava01
Copy link
Contributor

sourava01 commented Mar 28, 2024
edited
Loading

I have the same issue. Checks are failing even with terraform-aws-modules
It is probably only the checks which have a connection type defined are failing here.

module "s3-bucket_example_complete" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.0.0"
  lifecycle_rule = [
    {
      id                                     = "log1"
      enabled                                = true
      abort_incomplete_multipart_upload_days = 7

      noncurrent_version_transition = [
        {
          days          = 90
          storage_class = "GLACIER"
        }
      ]

      noncurrent_version_expiration = {
        days = 300
      }
    }
  ]
}

This module is failing CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration" and CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block" which should obviously pass.
This issue exists with both terraform and terraform_plan framework

@stale Stale
Copy link

stale bot commented Oct 5, 2024

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com
Thanks!

@stale stale bot added the stale label Oct 5, 2024
@Alex-Waring Alex-Waring linked a pull request Oct 24, 2024 that will close this issue
Open
5 tasks
@cristian-rincon
Copy link

Hi, is there any update on this issue? or workaround to handle this situation?

@stale stale bot removed the stale label Nov 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
graph
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

wip fix(terraform): evaluate inline checks for looped modules Alex-Waring/checkov
3 participants
@Greg05000 @cristian-rincon @sourava01