issues
search
aquasecurity
/
trivy
Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
https://aquasecurity.github.io/trivy
Apache License 2.0
22.31k
stars
2.2k
forks
source link
bug(misconf): Incorrect terraform submodules scanning
#7113
Open
nikpivkin
opened
2 weeks ago
nikpivkin
commented
2 weeks ago
Discussed in
https://github.com/aquasecurity/trivy/discussions/7106
Originally posted by **ajax-ryzhyi-r** July 7, 2024
### Description When there is a submodule call in terraform configuration trivy scans the parent module instead of the submodule. For example, when I have karpenter module call in configuration (`terraform-aws-modules/eks/aws//modules/karpenter`): ```hcl module "this" { count = var.enabled ? 1 : 0 source = "terraform-aws-modules/eks/aws//modules/karpenter" version = "20.5.0" ... } ``` trivy scans parent eks module instead `terraform-aws-modules/eks/aws`: ``` . (terraform) ============= Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1) Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) terraform-aws-modules/eks/aws/modules/karpenter/main.tf (terraform) =================================================================== Tests: 12 (SUCCESSES: 6, FAILURES: 2, EXCEPTIONS: 4) Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0) MEDIUM: Control plane controller manager logging is not enabled. ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ By default cluster control plane logging is not turned on. Logging is available for audit, api, authenticator, controllerManager and scheduler. All logging should be turned on for cluster control plane. See https://avd.aquasec.com/misconfig/avd-aws-0038 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── terraform-aws-modules/eks/aws/modules/karpenter/main.tf:27-105 via karpenter.tf:1-21 (module.this[0]) ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 27 ┌ resource "aws_eks_cluster" "this" { 28 │ count = local.create ? 1 : 0 29 │ 30 │ name = var.cluster_name 31 │ role_arn = local.cluster_role 32 │ version = var.cluster_version 33 │ enabled_cluster_log_types = var.cluster_enabled_log_types 34 │ 35 └ access_config { .. ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── MEDIUM: Control plane scheduler logging is not enabled. ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ By default cluster control plane logging is not turned on. Logging is available for audit, api, authenticator, controllerManager and scheduler. All logging should be turned on for cluster control plane. See https://avd.aquasec.com/misconfig/avd-aws-0038 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── terraform-aws-modules/eks/aws/modules/karpenter/main.tf:27-105 via karpenter.tf:1-21 (module.this[0]) ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 27 ┌ resource "aws_eks_cluster" "this" { 28 │ count = local.create ? 1 : 0 29 │ 30 │ name = var.cluster_name 31 │ role_arn = local.cluster_role 32 │ version = var.cluster_version 33 │ enabled_cluster_log_types = var.cluster_enabled_log_types 34 │ 35 └ access_config { .. ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── terraform-aws-modules/eks/aws/modules/karpenter/node_groups.tf (terraform) ========================================================================== Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2) Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) ``` This issue appeared in the 0.53.0 version everything was ok in 0.52.2 ### Desired Behavior Trivy scans submodules code instead of parent module ### Actual Behavior Trivy scans parent module code instead of submodule ### Reproduction Steps ```bash 1. Create root terraform module with `terraform-aws-modules/eks/aws//modules/karpenter` public module call 2. Run trivy scan ``` ### Target AWS ### Scanner Misconfiguration ### Output Format Table ### Mode Standalone ### Debug Output ```bash 2024-07-06T22:53:45+03:00 DEBUG Cache dir dir="/Users/romanryzhiy/Library/Caches/trivy" 2024-07-06T22:53:45+03:00 DEBUG Parsed severities severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL] 2024-07-06T22:53:45+03:00 INFO Misconfiguration scanning is enabled 2024-07-06T22:53:45+03:00 DEBUG Policies successfully loaded from disk 2024-07-06T22:53:45+03:00 DEBUG Enabling misconfiguration scanners scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot] 2024-07-06T22:53:45+03:00 DEBUG Initializing scan cache... type="memory" 2024-07-06T22:53:45+03:00 DEBUG [nuget] The nuget packages directory couldn't be found. License search disabled 2024-07-06T22:53:45+03:00 DEBUG Skipping path path=".terraform" 2024-07-06T22:53:45+03:00 DEBUG Scanning files for misconfigurations... scanner="Helm" 2024-07-06T22:53:45+03:00 DEBUG [misconf] 53:45.786751000 helm.scanner.rego Overriding filesystem for checks! 2024-07-06T22:53:45+03:00 DEBUG [misconf] 53:45.787418000 helm.scanner.rego Loaded 3 embedded libraries. 2024-07-06T22:53:45+03:00 DEBUG [misconf] 53:45.817514000 helm.scanner.rego Loaded 192 embedded policies. 2024-07-06T22:53:45+03:00 DEBUG [misconf] 53:45.869640000 helm.scanner.rego Loaded 195 checks from disk. 2024-07-06T22:53:45+03:00 DEBUG [misconf] 53:45.869914000 helm.scanner.rego Overriding filesystem for data! 2024-07-06T22:53:46+03:00 DEBUG Scanning files for misconfigurations... scanner="Kubernetes" 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.082653000 kubernetes.scanner.rego Overriding filesystem for checks! 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.083344000 kubernetes.scanner.rego Loaded 3 embedded libraries. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.113854000 kubernetes.scanner.rego Loaded 192 embedded policies. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.144842000 kubernetes.scanner.rego Loaded 195 checks from disk. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.145102000 kubernetes.scanner.rego Overriding filesystem for data! 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.355361000 kubernetes.scanner Scanning 4 files... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.355382000 kubernetes.scanner.rego Scanning 4 inputs... 2024-07-06T22:53:46+03:00 DEBUG Scanning files for misconfigurations... scanner="Terraform" 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.432011000 terraform.scanner Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13950610210180238632 1144196501 0x10b7e75e0}
} {{{0 0} {[] {} 0x140047e6320} map[backend.tf:0x14003db4c88 ec2nodeclass.tf:0x14003db4c98 flowschema.tf:0x14003db4ca8 karpenter.tf:0x14003db4cb8 nodepool.tf:0x14003db4cc8 provider.tf:0x14003db4cd8 provider_helm.tf:0x14003db4ce8 provider_k8s.tf:0x14003db4cf8 provider_kubectl.tf:0x14003db4d10 variables.tf:0x14003db4d20 versions.tf:0x14003db4d38 versions_override.tf:0x14003db4d48] 0}}}) .}] at '.'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.433998000 terraform.scanner.rego Overriding filesystem for checks! 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.434631000 terraform.scanner.rego Loaded 3 embedded libraries. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.460221000 terraform.scanner.rego Loaded 192 embedded policies. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.500231000 terraform.scanner.rego Loaded 195 checks from disk. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.500546000 terraform.scanner.rego Overriding filesystem for data! 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.704957000 terraform.parser.
Setting project/module root to '.' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.704979000 terraform.parser.
Parsing FS from '.' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.705044000 terraform.parser.
Parsing 'backend.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.706433000 terraform.parser.
Added file backend.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.706449000 terraform.parser.
Parsing 'ec2nodeclass.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.706859000 terraform.parser.
Added file ec2nodeclass.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.706865000 terraform.parser.
Parsing 'flowschema.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.707175000 terraform.parser.
Added file flowschema.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.707183000 terraform.parser.
Parsing 'karpenter.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.708070000 terraform.parser.
Added file karpenter.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.708077000 terraform.parser.
Parsing 'nodepool.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.708197000 terraform.parser.
Added file nodepool.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.708214000 terraform.parser.
Parsing 'provider.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.708396000 terraform.parser.
Added file provider.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.708401000 terraform.parser.
Parsing 'provider_helm.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.708775000 terraform.parser.
Added file provider_helm.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.708779000 terraform.parser.
Parsing 'provider_k8s.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.709884000 terraform.parser.
Added file provider_k8s.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.709891000 terraform.parser.
Parsing 'provider_kubectl.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.710148000 terraform.parser.
Added file provider_kubectl.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.710152000 terraform.parser.
Parsing 'variables.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.710528000 terraform.parser.
Added file variables.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.710535000 terraform.parser.
Parsing 'versions.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.710656000 terraform.parser.
Added file versions.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.711775000 terraform.parser.
Parsing 'versions_override.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.712045000 terraform.parser.
Added file versions_override.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.718937000 terraform.scanner Scanning root module '.'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.718969000 terraform.parser.
Setting project/module root to '.' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.718972000 terraform.parser.
Parsing FS from '.' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719043000 terraform.parser.
Parsing 'backend.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719188000 terraform.parser.
Added file backend.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719198000 terraform.parser.
Parsing 'ec2nodeclass.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719378000 terraform.parser.
Added file ec2nodeclass.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719385000 terraform.parser.
Parsing 'flowschema.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719444000 terraform.parser.
Added file flowschema.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719450000 terraform.parser.
Parsing 'karpenter.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719594000 terraform.parser.
Added file karpenter.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719600000 terraform.parser.
Parsing 'nodepool.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719659000 terraform.parser.
Added file nodepool.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719665000 terraform.parser.
Parsing 'provider.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719740000 terraform.parser.
Added file provider.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719745000 terraform.parser.
Parsing 'provider_helm.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719964000 terraform.parser.
Added file provider_helm.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.719970000 terraform.parser.
Parsing 'provider_k8s.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720184000 terraform.parser.
Added file provider_k8s.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720190000 terraform.parser.
Parsing 'provider_kubectl.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720417000 terraform.parser.
Added file provider_kubectl.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720423000 terraform.parser.
Parsing 'variables.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720715000 terraform.parser.
Added file variables.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720721000 terraform.parser.
Parsing 'versions.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720777000 terraform.parser.
Added file versions.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720783000 terraform.parser.
Parsing 'versions_override.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720835000 terraform.parser.
Added file versions_override.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.720841000 terraform.parser.
Evaluating module... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.721727000 terraform.parser.
Read 32 block(s) and 0 ignore(s) for module 'root' (12 file[s])... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.722384000 terraform.parser.
Added 11 variables from tfvars. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.722443000 terraform.parser.
Working directory for module evaluation is "/Users/romanryzhiy/projects/terragrunt-live/ajax-cloud-infrastructure/aws/infrastructure/eu-west-1/_eks-addons/shared/karpenter/.terragrunt-cache/x7logYLWEQ7dpFt5pXPKdw2_1fE/VPpSpMz2McdABYrIdR3SQl_F05A/modules/karpenter" 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.722514000 terraform.parser.
.evaluator Filesystem key is 'bb40e7b073c3a6aa011f9508d56dec7bddbe9dd179a1175ad434eb7608529035' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.722519000 terraform.parser.
.evaluator Starting module evaluation... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723664000 terraform.parser.
.evaluator Expanded block 'aws_eks_pod_identity_association.this' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723713000 terraform.parser.
.evaluator Expanded block 'helm_release.this' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723755000 terraform.parser.
.evaluator Expanded block 'kubectl_manifest.flowschema' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723797000 terraform.parser.
.evaluator Expanded block 'kubectl_manifest.generic_ec2_node_class' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723813000 terraform.parser.
.evaluator Expanded block 'kubectl_manifest.generic_node_pool' into 0 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723880000 terraform.parser.
.evaluator Expanded block 'module.this' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723898000 terraform.parser.
.evaluator Expanded block 'kubectl_manifest.ec2_node_class' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723950000 terraform.parser.
.evaluator Expanded block 'kubectl_manifest.node_pool' into 1 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723955000 terraform.parser.
.evaluator Starting submodule evaluation... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723960000 terraform.parser.
.evaluator locating non-initialized module 'terraform-aws-modules/eks/aws//modules/karpenter'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.723966000 terraform.parser.
.evaluator.resolver Resolving module 'module.this[0]' with source: 'terraform-aws-modules/eks/aws//modules/karpenter'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.724012000 terraform.parser.
.evaluator.resolver Trying to resolve: 5987466b9c26482070c9858af6b16ff7 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.724020000 terraform.parser.
.evaluator.resolver Module 'module.this[0]' resolving via cache... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.724030000 terraform.parser.
.evaluator.resolver Module path is . 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.724035000 terraform.parser.
.evaluator Module 'module.this[0]' resolved to path '.' in filesystem '/var/folders/6p/fnx4r0m959s0j721cyfy87dm0000gn/T/.aqua/cache/5987466b9c26482070c9858af6b16ff7' with prefix 'terraform-aws-modules/eks/aws/modules/karpenter' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.724043000 terraform.parser.
Parsing FS from '.' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.724304000 terraform.parser.
Parsing 'main.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.726578000 terraform.parser.
Added file main.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.726588000 terraform.parser.
Parsing 'node_groups.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.729682000 terraform.parser.
Added file node_groups.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.729694000 terraform.parser.
Parsing 'outputs.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.730733000 terraform.parser.
Added file outputs.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.730740000 terraform.parser.
Parsing 'variables.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.732821000 terraform.parser.
Added file variables.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.732828000 terraform.parser.
Parsing 'versions.tf'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.733031000 terraform.parser.
Added file versions.tf. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.733040000 terraform.parser.
.evaluator Loaded module "this[0]" from ".". 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.733042000 terraform.parser.
Evaluating module... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.739502000 terraform.parser.
Read 161 block(s) and 0 ignore(s) for module 'this[0]' (5 file[s])... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.739551000 terraform.parser.
Added 13 input variables from module definition. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.739599000 terraform.parser.
Working directory for module evaluation is "/Users/romanryzhiy/projects/terragrunt-live/ajax-cloud-infrastructure/aws/infrastructure/eu-west-1/_eks-addons/shared/karpenter/.terragrunt-cache/x7logYLWEQ7dpFt5pXPKdw2_1fE/VPpSpMz2McdABYrIdR3SQl_F05A/modules/karpenter" 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.739675000 terraform.parser.
.evaluator Evaluating submodule this[0] 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.739685000 terraform.parser.
.evaluator Filesystem key is 'ead433311225e71a1657ff8b77419bc00d1cc0cc69ac71ada904ce68ef280b1c' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.739690000 terraform.parser.
.evaluator Starting module evaluation... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756136000 terraform.parser.
.evaluator Expanded block 'aws_cloudwatch_log_group.this' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756306000 terraform.parser.
.evaluator Expanded block 'aws_eks_cluster.this' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756368000 terraform.parser.
.evaluator Expanded block 'aws_iam_openid_connect_provider.oidc_provider' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756441000 terraform.parser.
.evaluator Expanded block 'aws_iam_policy.cluster_encryption' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756451000 terraform.parser.
.evaluator Expanded block 'aws_iam_policy.cni_ipv6_policy' into 0 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756524000 terraform.parser.
.evaluator Expanded block 'aws_iam_role.this' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756560000 terraform.parser.
.evaluator Expanded block 'aws_iam_role_policy_attachment.cluster_encryption' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756609000 terraform.parser.
.evaluator Expanded block 'aws_security_group.cluster' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756660000 terraform.parser.
.evaluator Expanded block 'aws_security_group.node' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756717000 terraform.parser.
.evaluator Expanded block 'data.aws_iam_policy_document.assume_role_policy' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756729000 terraform.parser.
.evaluator Expanded block 'data.aws_iam_policy_document.cni_ipv6_policy' into 0 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756759000 terraform.parser.
.evaluator Expanded block 'data.tls_certificate.this' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756791000 terraform.parser.
.evaluator Expanded block 'time_sleep.this' into 1 clones via 'count' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756839000 terraform.parser.
.evaluator Expanded block 'aws_ec2_tag.cluster_primary_security_group' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756851000 terraform.parser.
.evaluator Expanded block 'aws_eks_access_entry.this' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756860000 terraform.parser.
.evaluator Expanded block 'aws_eks_access_policy_association.this' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756885000 terraform.parser.
.evaluator Expanded block 'aws_eks_addon.before_compute' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756903000 terraform.parser.
.evaluator Expanded block 'aws_eks_addon.this' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756915000 terraform.parser.
.evaluator Expanded block 'aws_eks_identity_provider_config.this' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.756927000 terraform.parser.
.evaluator Expanded block 'aws_iam_role_policy_attachment.additional' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.757032000 terraform.parser.
.evaluator Expanded block 'aws_iam_role_policy_attachment.this' into 2 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.757167000 terraform.parser.
.evaluator Expanded block 'aws_security_group_rule.cluster' into 1 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758243000 terraform.parser.
.evaluator Expanded block 'aws_security_group_rule.node' into 10 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758260000 terraform.parser.
.evaluator Expanded block 'data.aws_eks_addon_version.this' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758276000 terraform.parser.
.evaluator Expanded block 'module.eks_managed_node_group' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758288000 terraform.parser.
.evaluator Expanded block 'module.fargate_profile' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758298000 terraform.parser.
.evaluator Expanded block 'module.self_managed_node_group' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758336000 terraform.parser.
.evaluator Expanded block 'dynamic.kubernetes_network_config' into 1 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758375000 terraform.parser.
.evaluator Expanded block 'dynamic.outpost_config' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758417000 terraform.parser.
.evaluator Expanded block 'dynamic.encryption_config' into 1 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758459000 terraform.parser.
.evaluator Expanded block 'dynamic.inline_policy' into 1 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758548000 terraform.parser.
.evaluator Expanded block 'dynamic.principals' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758573000 terraform.parser.
.evaluator Expanded block 'dynamic.outpost_config' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758581000 terraform.parser.
.evaluator Expanded block 'dynamic.principals' into 0 clones via 'for_each' attribute. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758583000 terraform.parser.
.evaluator Starting submodule evaluation... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758592000 terraform.parser.
.evaluator locating non-initialized module 'terraform-aws-modules/kms/aws'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758598000 terraform.parser.
.evaluator.resolver Resolving module 'module.this[0].module.kms' with source: 'terraform-aws-modules/kms/aws'... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758648000 terraform.parser.
.evaluator.resolver Trying to resolve: 5f76ea7b66c00c9bf19f1424329c449f 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758657000 terraform.parser.
.evaluator.resolver Module 'module.this[0].module.kms' resolving via cache... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758668000 terraform.parser.
.evaluator.resolver Module path is . 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.758673000 terraform.parser.
.evaluator Module 'module.this[0].module.kms' resolved to path '.' in filesystem '/var/folders/6p/fnx4r0m959s0j721cyfy87dm0000gn/T/.aqua/cache/5f76ea7b66c00c9bf19f1424329c449f' with prefix 'terraform-aws-modules/eks/aws/modules/karpenter/terraform-aws-modules/kms/aws' 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.761747000 terraform.parser.
.evaluator Loaded module "kms" from ".". 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.764039000 terraform.parser.
.evaluator Evaluating submodule kms 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.770403000 terraform.parser.
.evaluator Evaluating submodule kms 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.777255000 terraform.parser.
.evaluator Submodule kms inputs unchanged 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.777277000 terraform.parser.
.evaluator All submodules are evaluated at i=2 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.777279000 terraform.parser.
.evaluator Starting post-submodule evaluation... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782008000 terraform.parser.
.evaluator Finished processing 1 submodule(s). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782025000 terraform.parser.
.evaluator Module evaluation complete. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782037000 terraform.parser.
.evaluator Added module output access_entries=cty.EmptyTupleVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782042000 terraform.parser.
.evaluator Added module output access_policy_associations=cty.EmptyTupleVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782048000 terraform.parser.
.evaluator Added module output cloudwatch_log_group_arn=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782058000 terraform.parser.
.evaluator Added module output cloudwatch_log_group_name=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782063000 terraform.parser.
.evaluator Added module output cluster_addons=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782069000 terraform.parser.
.evaluator Added module output cluster_arn=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782076000 terraform.parser.
.evaluator Added module output cluster_certificate_authority_data=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782082000 terraform.parser.
.evaluator Added module output cluster_endpoint=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782088000 terraform.parser.
.evaluator Added module output cluster_iam_role_arn=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782097000 terraform.parser.
.evaluator Added module output cluster_iam_role_name=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782103000 terraform.parser.
.evaluator Added module output cluster_iam_role_unique_id=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782110000 terraform.parser.
.evaluator Added module output cluster_id=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782113000 terraform.parser.
.evaluator Added module output cluster_identity_providers=cty.EmptyTupleVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782118000 terraform.parser.
.evaluator Added module output cluster_name=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782123000 terraform.parser.
.evaluator Added module output cluster_oidc_issuer_url=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782128000 terraform.parser.
.evaluator Added module output cluster_platform_version=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782134000 terraform.parser.
.evaluator Added module output cluster_primary_security_group_id=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782139000 terraform.parser.
.evaluator Added module output cluster_security_group_arn=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782144000 terraform.parser.
.evaluator Added module output cluster_security_group_id=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782149000 terraform.parser.
.evaluator Added module output cluster_status=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782155000 terraform.parser.
.evaluator Added module output cluster_tls_certificate_sha1_fingerprint=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782159000 terraform.parser.
.evaluator Added module output cluster_version=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782161000 terraform.parser.
.evaluator Added module output eks_managed_node_groups=cty.EmptyTupleVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782170000 terraform.parser.
.evaluator Added module output eks_managed_node_groups_autoscaling_group_names=cty.ListValEmpty(cty.String). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782174000 terraform.parser.
.evaluator Added module output fargate_profiles=cty.EmptyTupleVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782177000 terraform.parser.
.evaluator Added module output kms_key_arn=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782180000 terraform.parser.
.evaluator Added module output kms_key_id=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782182000 terraform.parser.
.evaluator Added module output kms_key_policy=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782187000 terraform.parser.
.evaluator Added module output node_security_group_arn=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782192000 terraform.parser.
.evaluator Added module output node_security_group_id=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782201000 terraform.parser.
.evaluator Added module output oidc_provider=cty.NilVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782231000 terraform.parser.
.evaluator Added module output oidc_provider_arn=cty.StringVal(""). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782237000 terraform.parser.
.evaluator Added module output self_managed_node_groups=cty.EmptyTupleVal. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782247000 terraform.parser.
.evaluator Added module output self_managed_node_groups_autoscaling_group_names=cty.ListValEmpty(cty.String). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782815000 terraform.parser.
.evaluator Submodule this[0] inputs unchanged 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782819000 terraform.parser.
.evaluator All submodules are evaluated at i=1 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.782821000 terraform.parser.
.evaluator Starting post-submodule evaluation... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.783240000 terraform.parser.
.evaluator Finished processing 2 submodule(s). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.783243000 terraform.parser.
.evaluator Module evaluation complete. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.783247000 terraform.parser.
Finished parsing module 'root'. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.783251000 terraform.executor Adapting modules... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.784610000 terraform.executor Adapted 3 module(s) into defsec state data. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.784616000 terraform.executor Using max routines of 9 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.784670000 terraform.executor Initialized 487 rule(s). 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.784675000 terraform.executor Created pool with 9 worker(s) to apply rules. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.786383000 terraform.scanner.rego Scanning 1 inputs... 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.789175000 terraform.executor Finished applying rules. 2024-07-06T22:53:46+03:00 DEBUG [misconf] 53:46.789182000 terraform.executor Applying ignores... 2024-07-06T22:53:46+03:00 DEBUG OS is not detected. 2024-07-06T22:53:46+03:00 INFO Detected config files num=7 2024-07-06T22:53:46+03:00 DEBUG Scanned config file path="templates/manifests/flowschema.yaml" 2024-07-06T22:53:46+03:00 DEBUG Scanned config file path="templates/manifests/generic-nodepool.yaml" 2024-07-06T22:53:46+03:00 DEBUG Scanned config file path="terraform-aws-modules/eks/aws/modules/karpenter/main.tf" 2024-07-06T22:53:46+03:00 DEBUG Scanned config file path="terraform-aws-modules/eks/aws/modules/karpenter/node_groups.tf" 2024-07-06T22:53:46+03:00 DEBUG Scanned config file path="terraform-aws-modules/eks/aws/modules/karpenter/terraform-aws-modules/kms/aws/main.tf" 2024-07-06T22:53:46+03:00 DEBUG Scanned config file path="." 2024-07-06T22:53:46+03:00 DEBUG Scanned config file path="manifests/spot-nodepool.yaml" 2024-07-06T22:53:46+03:00 DEBUG Found an ignore file path="/Users/romanryzhiy/projects/terragrunt-live/ajax-cloud-infrastructure/.trivy/.trivyignore" 2024-07-06T22:53:46+03:00 DEBUG Ignored id="AVD-AWS-0342" target="." 2024-07-06T22:53:46+03:00 DEBUG Ignored id="AVD-AWS-0039" target="terraform-aws-modules/eks/aws/modules/karpenter/main.tf" 2024-07-06T22:53:46+03:00 DEBUG Ignored id="AVD-AWS-0040" target="terraform-aws-modules/eks/aws/modules/karpenter/main.tf" 2024-07-06T22:53:46+03:00 DEBUG Ignored id="AVD-AWS-0057" target="terraform-aws-modules/eks/aws/modules/karpenter/main.tf" 2024-07-06T22:53:46+03:00 DEBUG Ignored id="AVD-AWS-0107" target="terraform-aws-modules/eks/aws/modules/karpenter/main.tf" 2024-07-06T22:53:46+03:00 DEBUG Ignored id="AVD-AWS-0104" target="terraform-aws-modules/eks/aws/modules/karpenter/node_groups.tf" 2024-07-06T22:53:46+03:00 DEBUG Ignored id="AVD-AWS-0107" target="terraform-aws-modules/eks/aws/modules/karpenter/node_groups.tf" . (terraform) ============= Tests: 1 (SUCCESSES: 0, FAILURES: 0, EXCEPTIONS: 1) Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) terraform-aws-modules/eks/aws/modules/karpenter/main.tf (terraform) =================================================================== Tests: 12 (SUCCESSES: 6, FAILURES: 2, EXCEPTIONS: 4) Failures: 2 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 0, CRITICAL: 0) MEDIUM: Control plane controller manager logging is not enabled. ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ By default cluster control plane logging is not turned on. Logging is available for audit, api, authenticator, controllerManager and scheduler. All logging should be turned on for cluster control plane. See https://avd.aquasec.com/misconfig/avd-aws-0038 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── terraform-aws-modules/eks/aws/modules/karpenter/main.tf:27-105 via karpenter.tf:1-21 (module.this[0]) ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 27 ┌ resource "aws_eks_cluster" "this" { 28 │ count = local.create ? 1 : 0 29 │ 30 │ name = var.cluster_name 31 │ role_arn = local.cluster_role 32 │ version = var.cluster_version 33 │ enabled_cluster_log_types = var.cluster_enabled_log_types 34 │ 35 └ access_config { .. ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── MEDIUM: Control plane scheduler logging is not enabled. ═══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════ By default cluster control plane logging is not turned on. Logging is available for audit, api, authenticator, controllerManager and scheduler. All logging should be turned on for cluster control plane. See https://avd.aquasec.com/misconfig/avd-aws-0038 ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── terraform-aws-modules/eks/aws/modules/karpenter/main.tf:27-105 via karpenter.tf:1-21 (module.this[0]) ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 27 ┌ resource "aws_eks_cluster" "this" { 28 │ count = local.create ? 1 : 0 29 │ 30 │ name = var.cluster_name 31 │ role_arn = local.cluster_role 32 │ version = var.cluster_version 33 │ enabled_cluster_log_types = var.cluster_enabled_log_types 34 │ 35 └ access_config { .. ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── terraform-aws-modules/eks/aws/modules/karpenter/node_groups.tf (terraform) ========================================================================== Tests: 4 (SUCCESSES: 2, FAILURES: 0, EXCEPTIONS: 2) Failures: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0) ``` ### Operating System macOS Sonoma ### Version ```bash Version: 0.53.0 Check Bundle: Digest: sha256:ef2d9ad4fce0f933b20a662004d7e55bf200987c180e7f2cd531af631f408bb3 DownloadedAt: 2024-07-06 19:33:47.379711 +0000 UTC ``` ### Checklist - [X] Run `trivy clean --all` - [X] Read [the troubleshooting](https://aquasecurity.github.io/trivy/latest/docs/references/troubleshooting/)
Discussed in https://github.com/aquasecurity/trivy/discussions/7106