Open rlison47 opened 7 months ago
hey @rlison47 thanks for reaching out.
You are trying to access the data block google_container_engine_versions
. therefore your approach doesn't work. Here you can find an example for GCp data block check https://github.com/bridgecrewio/checkov/blob/main/checkov/terraform/checks/data/gcp/GooglePolicyIsPrivate.py
Thanks @gruebel will try to modify my customized checkov python. In case need help on customizing can I reachout? I'm still new in Checkov python
Tried to change it to data block type but still not scanning
Snippet of my Checkov python code for your reference
from typing import Dict, List, Any
from checkov.terraform.checks.data.base_check import BaseDataCheck
from checkov.common.models.enums import CheckResult, CheckCategories
class CustomReleaseCheck(BaseDataCheck):
def __init__(self):
name = "Check for release_channel_default_version and stable keys"
id = "CKV_GKE_001"
supported_data = ["google_container_engine_versions"]
categories = [CheckCategories.KUBERNETES]
super().__init__(name=name, id=id, categories=categories, supported_data=supported_data)
def scan_data_conf(self, conf: Dict[str, List[Any]]) -> CheckResult:
"""
Check for the presence of release_channel_default_version and stable keys in a dictionary.
:param conf: Dictionary to be checked
:return: <CheckResult>
"""
if 'values' in conf and 'release_channel_default_version' in conf['values']:
release_channel_default_version = conf['values']['release_channel_default_version']
if (
isinstance(release_channel_default_version, dict)
and 'STABLE' in release_channel_default_version
and release_channel_default_version['STABLE'] == "1.27.3-gke.100"
):
print(f"The evaluated key is: values/release_channel_default_version/STABLE")
return CheckResult.PASSED
return CheckResult.FAILED
def get_evaluated_keys(self) -> List[str]:
return ['values/release_channel_default_version/STABLE']
check = CustomReleaseCheck()
Any reason why Checkov still can't perform a terraform scan result for the data block google_container_engine_versions? Appreciate any advice or help on this Thank You
@gruebel, could the size of the JSON file be a factor in the inability to scan and the absence of Terraform result output for passed and failed checks? It's worth noting that the line item for the data block Google Container Engine version alone is at line 2928 within the JSON file. The whole JSON file has 9722 lines. I'm stuck on this one, Any insights or guidance you can provide would be greatly appreciated. Thank you.
that's not big at all, I tested checkov
against a 500mb plan file 😄
The check itself doesn't look bad, hard to tell what could be wrong. Did you test it against a normal TF file? If it works correctly then we know your setup is correct, if not then you probably are missing the __init__.py
file in the check folder. And what is inside the config file?
I see @gruebel thank you for your response. Using the same tf file I can perform TF scan for resource block 'google_container_cluster' but no TF scan result at all for data source 'google_container_engine_versions'. Any possibility of having a checkov policy to check if the Kubernetes run on a supported version for GCP GKE in the future? Just having difficulty with customizing it for now.
Scanning resource block 'google_container_cluster
Scanning data block 'google_container_engine_versions' where kubernetes version is located still not performing TF scan I tried to use custom yaml
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!
I am trying to create a customized checkov policy to ensure that the Google Kubernetes version remains up-to-date. But there's no any terraform plan scan result or any error it seems can't able to scan the resource 'google_container_engine_versions'
A snippet of the terraform plan.json
Snippet of my code 'there's no scan result if failed or passed
changing the resource to 'google_container_cluster' there's a scan result
Need help on how can I scan for the resource 'google_container_engine_versions' since this is the only way I can check for the kubernetes version. Please let me know f there's a fix for this issue