Closed IgorOrmus closed 10 months ago
hey @IgorOrmus thanks for reaching out.
We currently don't support for_each
on module
level, therefore I'm not surprised it fails. We are working on it, but there is a chance we won't be able to support your setup at the end.
Hey @IgorOrmus :) We are just finished adding the support of for_each/count Meta-Arguments in Terraform modules, Currently, it's under two environment variables:
CHECKOV_NEW_TF_PARSER
CHECKOV_ENABLE_MODULES_FOREACH_HANDLING
To recheck your setup please set those variables as True
Feel free to reach out in case something is not working.
I am experiencing similar failed checks for CKV2_AZURE_31 and CKV2_AZURE_33. Very similar situation -
CKV2_AZURE_33 - I create Private Endpoints as their own resource, with a private service connection
for the corresponding storage account with the checkov failure.
CKV2_AZURE_31 - My VNET Subnets have NSGs through a module.
I've attempted to provide the env vars CHECKOV_NEW_TF_PARSER
and CHECKOV_ENABLE_MODULES_FOREACH_HANDLING
and still yield the failures.
These are the steps I've configured the action to execute (on ubuntu-latest):
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Run checkov
uses: bridgecrewio/checkov-action@master
env:
## Checkov env vars to support foreach/count Met-Args. See https://github.com/bridgecrewio/checkov/issues/4638
CHECKOV_NEW_TF_PARSER: "True"
CHECKOV_ENABLE_MODULES_FOREACH_HANDLING: "True"
I also experience this issue for CKV2_AZURE_31. I have a module that creates the subnet, NSG and the NSG association but checkov still thinks it is not associated. In my case i am also using for_each on the resource in the module which might make the issue more complex.
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!
This continues to be an issue. Is there plans to resolve this @gruebel
Describe the issue CKV2_AZURE_31,CKV2_AZURE_32,CKV2_AZURE_33 hiese checks fail if private endpoint or NSG association is called from another moudle .
Examples
In the above example that is same for key vault private endpoint checkov fails the test even though a private endpoint is provissioned with the resource
Version (please complete the following information):
Additional context Add any other context about the problem here.
https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/graph/checks/resources/AzureStorageAccConfigWithPrivateEndpoint/main.tf
@gruebel @praveen-panw would you be able to help?