Closed jkatic85 closed 1 year ago
Hi @jkatic85 thanks for reaching out.
I think we had that request in the past, but I can't find the GH issue. I will keep it open, till we either support it or I find the older issue. Nevertheless we don't plan to support terragrunt
any time soon, therefore it won't help you much, when we implement it for terraform
. You can still scan the generated plan file to get results for the policy.
Hey @gruebel 👋🏻
Thanks for responding so quickly!
As for terragrunt
/terraform
they are interchangeable, and everything that works for terraform
already works in terragrunt
from my investigation (i.e. all our manifests were scanned and we got feedback from Checkov for things that can be improved). Also, plans would look the same whether it's terraform plan
or terragrunt plan
.
As for scanning the generated plan, if I understand correctly, you are saying this is already supported? Can you point me to the documentation that explains how to implement this?
@gruebel Would supporting the file()
tf operator solve this issue?
@jkatic85 checkov can scan terraform plan files just like it scans HCL, you can run checkov with --framework terraform_plan
to see for yourself
I think I was not precise enough. We don't support the special terragrunt
syntax. So, when we would implement the support of the file()
function, then we would just scan them, if they directly used with Terraform resource, like aws_iam_role_policy
but here it is referenced via the inputs
block, which we don't evaluate.
Thanks for your inputs @nimrodkor and @gruebel, I've managed to write a custom action that scans the terraform/terragrunt plan output and Checkov works great with that.
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!
Describe the issue
At work, we keep our IAM policies defined in
policy.json
file that lives next to aterragrunt.hcl
file that applies it on our infrastructure. And, even though Checkov is useful to go through HCL files, it completely ignores the JSON file. Currently, the check only works if the policy is defined within the HCL file.It would be nice to have a way to would parse JSON policy files and trigger if the file is too permissive, malformed, etc.
Existing AWS IAM policy checks that trigger when defining a policy inside the HCL file could be re-used to run through a JSON file. Some are mentioned below.
Examples
Keeping the policy inside an HCL file would trigger Checkov, i.e.:
This triggers the following checks to fail (redacted for readability):
But, if I have the same permissive policy in policy.json and I call it from
terragrunt.hcl
it all passes:policy.json
contents:terragrunt.hcl
contents:Manually running Checkov:
The outcome should be the same as the one mentioned above - Failed checks because the policy is too permissive.
Version (please complete the following information):
Additional context
This is a feature request (unless there is a way to run checks against JSON files which I am not aware of, in which case, please let me know how) to make Checkov a more complete tool.
Thank you!