search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.97k stars 1.1k forks source link

Checkov no terraform_plan scan result for resource 'google_container_engine_versions' #5960

Open rlison47 opened 7 months ago

rlison47 commented 7 months ago

I am trying to create a customized checkov policy to ensure that the Google Kubernetes version remains up-to-date. But there's no any terraform plan scan result or any error it seems can't able to scan the resource 'google_container_engine_versions'

A snippet of the terraform plan.json

"resources": [
                {
                  "address": "module.gke_autopilot_cluster.data.google_compute_zones.available",
                  "mode": "data",
                  "type": "google_compute_zones",
                  "name": "available",
                  "provider_name": "registry.terraform.io/hashicorp/google-beta",
                  "schema_version": 0,
                  "values": {
                    "id": "projects/isg-ceso-ccm-pd-ll90/regions/asia-southeast1",
                    "names": [
                      "asia-southeast1-a",
                      "asia-southeast1-b",
                      "asia-southeast1-c"
                    ],
                    "project": "isg-ceso-ccm-pd-ll90",
                    "region": "asia-southeast1",
                    "status": null
                  },
                  "sensitive_values": {
                    "names": [
                      false,
                      false,
                      false
                    ]
                  }
                },
                {
                  "address": "module.gke_autopilot_cluster.data.google_container_engine_versions.region",
                  "mode": "data",
                  "type": "google_container_engine_versions",
                  "name": "region",
                  "provider_name": "registry.terraform.io/hashicorp/google",
                  "schema_version": 0,
                  "values": {
                    "default_cluster_version": "1.27.3-gke.100",
                    "id": "2024-01-18 17:10:17.366476564 +0000 UTC",
                    "latest_master_version": "1.28.5-gke.1217000",
                    "latest_node_version": "1.28.5-gke.1217000",
                    "location": "asia-southeast1",
                    "project": "isg-ceso-ccm-pd-ll90",
                    "release_channel_default_version": {
                      "RAPID": "1.28.3-gke.1286000",
                      "REGULAR": "1.27.3-gke.100",
                      "STABLE": "1.27.3-gke.100"
                    },
                    "release_channel_latest_version": {
                      "RAPID": "1.29.0-gke.1381000",
                      "REGULAR": "1.28.3-gke.1286000",
                      "STABLE": "1.28.3-gke.1203001"
                    }

Snippet of my code 'there's no scan result if failed or passed

google_container_engine_versions

changing the resource to 'google_container_cluster' there's a scan result

google_container_cluster

Need help on how can I scan for the resource 'google_container_engine_versions' since this is the only way I can check for the kubernetes version. Please let me know f there's a fix for this issue

gruebel commented 7 months ago

hey @rlison47 thanks for reaching out.

You are trying to access the data block google_container_engine_versions. therefore your approach doesn't work. Here you can find an example for GCp data block check https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py

rlison47 commented 7 months ago

Thanks @gruebel will try to modify my customized checkov python. In case need help on customizing can I reachout? I'm still new in Checkov python

rlison47 commented 7 months ago

Tried to change it to data block type but still not scanning

data_block
rlison47 commented 7 months ago

Snippet of my Checkov python code for your reference 

from typing import Dict, List, Any

from checkov.terraform.checks.data.base_check import BaseDataCheck
from checkov.common.models.enums import CheckResult, CheckCategories

class CustomReleaseCheck(BaseDataCheck):
    def __init__(self):
        name = "Check for release_channel_default_version and stable keys"
        id = "CKV_GKE_001"

        supported_data = ["google_container_engine_versions"]
        categories = [CheckCategories.KUBERNETES]
        super().__init__(name=name, id=id, categories=categories, supported_data=supported_data)

    def scan_data_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:

        """
        Check for the presence of release_channel_default_version and stable keys in a dictionary.
        :param conf: Dictionary to be checked
        :return: <CheckResult>
        """
        if 'values' in conf and 'release_channel_default_version' in conf['values']:
            release_channel_default_version = conf['values']['release_channel_default_version']

            if (
                isinstance(release_channel_default_version, dict)
                and 'STABLE' in release_channel_default_version
                and release_channel_default_version['STABLE'] == "1.27.3-gke.100"
                ):

                print(f"The evaluated key is: values/release_channel_default_version/STABLE")
                return CheckResult.PASSED

        return CheckResult.FAILED

    def get_evaluated_keys(self) -> List[str]:
        return ['values/release_channel_default_version/STABLE']

check = CustomReleaseCheck()
rlison47 commented 7 months ago

Any reason why Checkov still can't perform a terraform scan result for the data block google_container_engine_versions? Appreciate any advice or help on this Thank You

rlison47 commented 7 months ago

@gruebel, could the size of the JSON file be a factor in the inability to scan and the absence of Terraform result output for passed and failed checks? It's worth noting that the line item for the data block Google Container Engine version alone is at line 2928 within the JSON file. The whole JSON file has 9722 lines. I'm stuck on this one, Any insights or guidance you can provide would be greatly appreciated. Thank you.

gruebel commented 7 months ago

that's not big at all, I tested checkov against a 500mb plan file 😄

The check itself doesn't look bad, hard to tell what could be wrong. Did you test it against a normal TF file? If it works correctly then we know your setup is correct, if not then you probably are missing the __init__.py file in the check folder. And what is inside the config file?

rlison47 commented 7 months ago

I see @gruebel thank you for your response. Using the same tf file I can perform TF scan for resource block 'google_container_cluster' but no TF scan result at all for data source 'google_container_engine_versions'. Any possibility of having a checkov policy to check if the Kubernetes run on a supported version for GCP GKE in the future? Just having difficulty with customizing it for now.

Scanning resource block 'google_container_cluster

image

Scanning data block 'google_container_engine_versions' where kubernetes version is located still not performing TF scan I tried to use custom yaml

image
stale[bot] commented 1 month ago

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!