search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.72k stars 1.08k forks source link

False positives in ckv_aws_237 #6300

Open pingoleon108 opened 1 month ago

pingoleon108 commented 1 month ago

Describe the issue If it is related to an existing check, please note the relevant check ID. Also, explain the logic for this addition / change. ckv_aws_237

Examples Please share an example code sample (in the IaC of your choice) + the expected outcomes. We have 2 resources as part of the main apigateway.tf

resource "aws_api_gateway_deployment" "default" {
  rest_api_id       = aws_api_gateway_rest_api.default.*.id[0]
  description       = var.description
  stage_description = var.stage_description
  variables         = var.variables
  depends_on = [
    aws_api_gateway_rest_api_policy.default
  ]

  lifecycle {
    create_before_destroy = true
  }
}

and the dependency

resource "aws_api_gateway_rest_api" "default" {
  name        = var.name
  description = var.description
  body        = templatefile(var.body_filename, var.body_template_params)
  endpoint_configuration {
    types = var.types
  }

  tags = merge(
    var.platform_mandatory_tags,
    {
      "created_via" = "terra",
      "team"     = local.team_tag
    },
  )
}

As terraform note says : Note that Terraform propagates and applies the create_before_destroy meta-attribute behaviour to all resource dependencies That being said, ckv_aws_237 should pass for the above code because aws_api_gateway_deployment resource has the lifecycle on it.

Version (please complete the following information):

mannycepeda1989 commented 1 month ago

Good afternoon @pingoleon108 , thank you for bringing this issue of a potential false positive to our attention. We will further investigate it.

pingoleon108 commented 1 month ago

Thanks @mannycepeda1989