download-external-module flag fails for AWS Codecommit URLs sourced modules

[multiverseloop]

Describe the issue I have a terraform module code as below -

module "security_vpc_ap" {
  source = "git::codecommit::us-east-1://test?ref=v1.0.0"
  name = "test-vpc"
  cidr = var.test_cidr
  enable_dns_hostnames = true
  enable_dns_support   = true
  # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
  enable_flow_log                      = true
  create_flow_log_cloudwatch_log_group = true
  create_flow_log_cloudwatch_iam_role  = true
  flow_log_max_aggregation_interval    = 60
}

I am running static code analysis tool checkov which has a dependency of gitpython >=3.1.30

failed to get git::codecommit::us-east-1://test?ref=v1.0.0 because of The codecommit:: protocol looks suspicious, use allow_unsafe_protocols=True to allow it.

Gitpython complains that the codecommit url is not safe. If I manually install gitpython 3.1.29 then the below error doesnt show but it conflicts with checkov dependency

[JamesWoolfenden]

With the latest 3.1.67 and with default options

checkov -f module.tf

all i get is:

Check: CKV_TF_1: "Ensure Terraform module sources use a commit hash"
    FAILED for resource: security_vpc_ap
    File: /module.tf:1-12
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/supply-chain-policies/terraform-policies/ensure-terraform-module-sources-use-git-url-with-commit-hash-revision

        1  | module "security_vpc_ap" {
        2  |   source = "git::codecommit::us-east-1://test?ref=v1.0.0"
        3  |   name = "test-vpc"
        4  |   cidr = var.test_cidr
        5  |   enable_dns_hostnames = true
        6  |   enable_dns_support   = true
        7  |   # VPC Flow Logs (Cloudwatch log group and IAM role will be created)
        8  |   enable_flow_log                      = true
        9  |   create_flow_log_cloudwatch_log_group = true
        10 |   create_flow_log_cloudwatch_iam_role  = true
        11 |   flow_log_max_aggregation_interval    = 60
        12 | }

Which is a valid failure. Are you doing something different?

[multiverseloop]

checkov --directory ./ --skip-path ./deploy --download-external-module true

I am using this command to run the checkov checks

[JamesWoolfenden]

Ok so we get an error from trying to download from codecommit

File "/Users/jwoolfenden/Library/Python/3.12/lib/python/site-packages/urllib3/util/retry.py", line 515, in increment raise MaxRetryError(_pool, url, reason) from reason # type: ignore[arg-type] ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='www.bridgecrew.cloud', port=443): Max retries exceeded with url: /api/v2/guidelines (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1000)'))) 2024-01-18 14:54:53,474 [ThreadPoolEx] [WARNI] failed to get git::codecommit::us-east-1://test?ref=v1.0.0 because of The codecommit:: protocol looks suspicious, use allow_unsafe_protocols=True to allow it. 2024-01-18 14:54:53,475 [ThreadPoolEx] [WARNI] failed to get git::codecommit::us-east-1://test?ref=v1.0.0 because of The codecommit:: protocol looks suspicious, use allow_unsafe_protocols=True to allow it. 2024-01-18 14:54:53,476 [ThreadPoolEx] [WARNI] failed to get git::codecommit::us-east-1://test?ref=v1.0.0 because of The codecommit:: protocol looks suspicious, use allow_unsafe_protocols=True to allow it. 2024-01-18 14:54:53,477 [ThreadPoolEx] [WARNI] Failed to download module git::codecommit::us-east-1://test?ref=v1.0.0:None [ terraform framework ]: 100%|████████████████████|[1/1], Current File Scanned=module.tf [ secrets framework ]: 100%|████████████████████|[1/1], Current File Scanned=./module.tf

I imagine because we havent encountered sourcing modules from codecommit, which will require aws auth, so we should with either handle or ignore.

Message ID: @.***>

[multiverseloop]

is there a way i can let checkov use a pre-downloaded module directory in a certain path? like for example I can run terraform init so that the modules are downloaded in .terraform folder.

Can checkov look at .terraform folder and consider them as the external module?

[JamesWoolfenden]

are you using some code-commit git extension as it doesnt even tf init

│ Could not download module "security_vpc_ap" (module.tf:1) source code from "git::codecommit::us-east-1://test?ref=v1.0.0": error
│ downloading 'codecommit::us-east-1://test?ref=v1.0.0': /usr/local/bin/git exited with 128: Cloning into
│ '.terraform/modules/security_vpc_ap'...
│ git: 'remote-codecommit' is not a git command. See 'git --help'.

Yes you could look into the .terraform folder with checkov or use a plan check.

[multiverseloop]

I think you need git-remote-codecommit package to be installed before you can use the git::codecommit reference. https://github.com/aws/git-remote-codecommit

Do you know how I can do this with checkov to refer to .terraform folder or use a plan check?

[JamesWoolfenden]

Plan scanning - https://www.checkov.io/7.Scan%20Examples/Terraform%20Plan%20Scanning.html the alternative is using terraform init to get the modules downloaded before you run checkov. Given the option id run I'd go for the latter.

[stale[bot]]

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

[stale[bot]]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!