CKV2_AZURE_31,CKV2_AZURE_32,CKV2_AZURE_33 do not pass if private endpoint or association is called from another module

[IgorOrmus]

Describe the issue CKV2_AZURE_31,CKV2_AZURE_32,CKV2_AZURE_33 hiese checks fail if private endpoint or NSG association is called from another moudle .

Examples

resource "azurerm_storage_account" "storage_account" {
  name                            = lower(var.name)
  resource_group_name             = var.resource_group_name
  location                        = var.location
  account_kind                    = var.account_kind
  account_tier                    = var.account_tier
  account_replication_type        = var.account_replication_type
  access_tier                     = var.access_tier
  enable_https_traffic_only       = var.enable_https_traffic_only
  is_hns_enabled                  = var.hns_enabled
  min_tls_version                 = var.min_tls_version
  allow_nested_items_to_be_public = var.allow_nested_items_to_be_public
  public_network_access_enabled   = var.public_network_access_enabled
  dynamic "network_rules" {
    for_each = var.network_rules != null ? [var.network_rules] : []
    content {
      default_action = network_rules.value.default_action
    }
  }
  queue_properties {
    dynamic "logging" {
      for_each = var.queue_properties_logging != null ? [var.queue_properties_logging] : []
      content {
        delete                = logging.value.delete
        read                  = logging.value.read
        write                 = logging.value.write
        version               = logging.value.version
        retention_policy_days = logging.value.retention_policy_days
      }
    }
  }
  tags                          = var.tags
}
module "storage_account_private_endpoints" {
  depends_on = [
    azurerm_storage_account.storage_account
  ] 
  source                               = "../azurerm_private_endpoint"
  for_each                             = { for private_endpoint in var.private_endpoints : private_endpoint.name => private_endpoint } 

  name                                 = each.key
  private_service_connection_name      = each.value.private_service_connection_name
  subnet_name                          = each.value.subnet_name
  subnet_vnet_name                     = each.value.subnet_vnet_name
  subnet_resource_group_name           = each.value.subnet_resource_group_name
  is_manual_connection                 = each.value.is_manual_connection
  location                             = var.location
  private_connection_resource_id       = azurerm_storage_account.storage_account.id
  resource_group_name                  = each.value.resource_group_name
  subresource_names                    = each.value.subresource_names
  private_dns_zone_name                = each.value.private_dns_zone_name
  private_dns_zone_resource_group_name = each.value.private_dns_zone_resource_group_name
  tags                                 = var.tags
}

In the above example that is same for key vault private endpoint checkov fails the test even though a private endpoint is provissioned with the resource

Version (please complete the following information):

• Checkov Version latest

Additional context Add any other context about the problem here.

https://github.com/bridgecrewio/checkov/blob/main/tests/terraform/graph/checks/resources/AzureStorageAccConfigWithPrivateEndpoint/main.tf

@gruebel @praveen-panw would you be able to help?

[gruebel]

hey @IgorOrmus thanks for reaching out. We currently don't support for_each on module level, therefore I'm not surprised it fails. We are working on it, but there is a chance we won't be able to support your setup at the end.

[ChanochShayner]

Hey @IgorOrmus :) We are just finished adding the support of for_each/count Meta-Arguments in Terraform modules, Currently, it's under two environment variables:

• CHECKOV_NEW_TF_PARSER

• CHECKOV_ENABLE_MODULES_FOREACH_HANDLING

  To recheck your setup please set those variables as True

  Feel free to reach out in case something is not working.

[jed-exotic]

I am experiencing similar failed checks for CKV2_AZURE_31 and CKV2_AZURE_33. Very similar situation -

CKV2_AZURE_33 - I create Private Endpoints as their own resource, with a private service connection for the corresponding storage account with the checkov failure.

CKV2_AZURE_31 - My VNET Subnets have NSGs through a module.

I've attempted to provide the env vars CHECKOV_NEW_TF_PARSER and CHECKOV_ENABLE_MODULES_FOREACH_HANDLING and still yield the failures.

These are the steps I've configured the action to execute (on ubuntu-latest):

steps:
  - name: Checkout code
    uses: actions/checkout@v3
    with:
      fetch-depth: 0

  - name: Run checkov
    uses: bridgecrewio/checkov-action@master
    env:
      ## Checkov env vars to support foreach/count Met-Args. See https://github.com/bridgecrewio/checkov/issues/4638
      CHECKOV_NEW_TF_PARSER: "True"
      CHECKOV_ENABLE_MODULES_FOREACH_HANDLING: "True"

[corstuur]

I also experience this issue for CKV2_AZURE_31. I have a module that creates the subnet, NSG and the NSG association but checkov still thinks it is not associated. In my case i am also using for_each on the resource in the module which might make the issue more complex.

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

[stale[bot]]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!

[jquinn99002]

This continues to be an issue. Is there plans to resolve this @gruebel