search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
7.01k stars 1.1k forks source link

terraform_plan - modules - for_each / count issues #6113

Open Greg05000 opened 6 months ago

Greg05000 commented 6 months ago

Describe the issue Hi, Some AWS checks failed when resource is created with for_each or count element in modules. Checks example :

Cmd : checkov -f tfplan2.json --check "CKV2_AWS_6,CKV_AWS_145" --framework "terraform_plan" --repo-root-for-plan-enrichment .

Result : 

Passed checks: 0, Failed checks: 2, Skipped checks: 0

Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
        FAILED for resource: module.aws_s3[0].aws_s3_bucket.this
        File: ../modules/aws-s3/main.tf
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached

18 | resource "aws_s3_bucket" "this" {
19 |   provider = aws.alternate
20 |   bucket   = var.name
21 | }

Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
        FAILED for resource: module.aws_s3[0].aws_s3_bucket.this
        File: ../modules/aws-s3/main.tf
        Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default

18 | resource "aws_s3_bucket" "this" {
19 |   provider = aws.alternate
20 |   bucket   = var.name
21 | }

Examples main.tf

module "aws_s3" {
  count       = 1
  source      = "../modules/aws-s3"
  name        = "cheeeeck"
  kms_key_arn = "********"
  providers = {
    aws.alternate = aws.sap_env
  }
}

or

module "aws_s3" {
  source      = "../modules/aws-s3"
  for_each    = { "ceckov" = "" }
  name        = each.key
  kms_key_arn = "********"
  providers = {
    aws.alternate = aws.sap_env
  }
}

../modules/aws-s3/main.tf

resource "aws_s3_bucket" "this" {
  provider = aws.alternate
  bucket   = var.name
}

resource "aws_s3_bucket_server_side_encryption_configuration" "cmk" {
  provider = aws.alternate
  bucket = aws_s3_bucket.this.bucket
  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = var.kms_key_arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_s3_bucket_public_access_block" "block_public" {
  provider = aws.alternate
  bucket = aws_s3_bucket.this.bucket
  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

Desktop (please complete the following information):

Additional context Checks passed if i use module for one resource :

Checks failed with for_each/count :

TF Plan example : 

    "planned_values": {
        "root_module": {
            "child_modules": [{
                "resources": [{
                    "address": "module.aws_s3[0].aws_s3_bucket.this",
                    "mode": "managed",
                    "type": "aws_s3_bucket",
                    "name": "this",
                    "schema_version": 0,
                    "values": {
                        "bucket": "cheeeeck",
                        "force_destroy": false,
                        "tags": null,
                        "timeouts": null
                    },
                    "sensitive_values": {
                        "cors_rule": [],
                        "grant": [],
                        "lifecycle_rule": [],
                        "logging": [],
                        "object_lock_configuration": [],
                        "replication_configuration": [],
                        "server_side_encryption_configuration": [],
                        "tags_all": {},
                        "versioning": [],
                        "website": []
                    }
                }, {
                    "address": "module.aws_s3[0].aws_s3_bucket_public_access_block.block_public",
                    "mode": "managed",
                    "type": "aws_s3_bucket_public_access_block",
                    "name": "block_public",
                    "schema_version": 0,
                    "values": {
                        "block_public_acls": true,
                        "block_public_policy": true,
                        "bucket": "cheeeeck",
                        "ignore_public_acls": true,
                        "restrict_public_buckets": true
                    },
                    "sensitive_values": {}
                }, {
                    "address": "module.aws_s3[0].aws_s3_bucket_server_side_encryption_configuration.cmk",
                    "mode": "managed",
                    "type": "aws_s3_bucket_server_side_encryption_configuration",
                    "name": "cmk",
                    "schema_version": 0,
                    "values": {
                        "bucket": "cheeeeck",
                        "expected_bucket_owner": null,
                        "rule": [{
                            "apply_server_side_encryption_by_default": [{
                                "kms_master_key_id": "**************************",
                                "sse_algorithm": "aws:kms"
                            }],
                            "bucket_key_enabled": null
                        }]
                    },
                    "sensitive_values": {
                        "rule": [{
                            "apply_server_side_encryption_by_default": [{}]
                        }]
                    }
                }],
                "address": "module.aws_s3[0]"
            }]
        }
    },

Thanks

sourava01 commented 6 months ago

I have the same issue. Checks are failing even with terraform-aws-modules It is probably only the checks which have a connection type defined are failing here.

module "s3-bucket_example_complete" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.0.0"
  lifecycle_rule = [
    {
      id                                     = "log1"
      enabled                                = true
      abort_incomplete_multipart_upload_days = 7

      noncurrent_version_transition = [
        {
          days          = 90
          storage_class = "GLACIER"
        }
      ]

      noncurrent_version_expiration = {
        days = 300
      }
    }
  ]
}

This module is failing CKV2_AWS_61: "Ensure that an S3 bucket has a lifecycle configuration" and CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block" which should obviously pass. This issue exists with both terraform and terraform_plan framework