search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.71k stars 1.07k forks source link

Checks don't run when calling module count is set > 0 #6382

Open stvfltchr opened 1 month ago

stvfltchr commented 1 month ago

Creating an AWS security group in terraform via a calling module with a count parameter. Resource checks relevant to security groups (for example: CKV_AWS_23, CKV_AWS_24, CKV_AWS_25, CKV_AWS_260, SKV_AWS_277) aren't running for me when the resource is created via a calling module with a count > 0. If there is no count parameter, the checks run. If the count is set to 0, the checks run. If the count is set to 1 or more, the checks don't run.

Example calling module (in directory ./examples/complete)

 terraform {
  required_version = ">= 1.6.3"

  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 5.0"
    }
  }
}

provider "aws" {
  region = "us-east-1"
}

module "sg_created" {
  count = 0
  source                          = "../../modules/sg"
  vpc_id = "vpc-xxxxxxxxxxxxxx"
  tags = {
        Name = "test-sg-created"
        application = "a123456789"
        environment = "sandbox"
        ttl = 0
        provisioned-by = "cicd"
    }
}

The module it's calling (./modules/sg.tf)

resource "aws_security_group" "test-sg" {
    name = var.tags["Name"]
    vpc_id =  var.vpc_id
    tags = var.tags
    description = "Test sg - OK to delete"
}

resource "aws_vpc_security_group_ingress_rule" "redis_inbound" {
  security_group_id = aws_security_group.test-sg.id
  cidr_ipv4         = "0.0.0.0/0"  ## don't do this with prod code - just to simplify re-creatable error for this issue request
  from_port         = 6379
  ip_protocol       = "tcp"
  to_port           = 6379
  description = "Allows inbound traffic from within the VPC"
}

Accompanying variables file (./modules/variables.tf): 

variable "tags" {
  description = <<EOF
    "A map of tags to assign to the Security group.
    EOF
  type        = map(string)
}

variable "vpc_id" {
  description = "VPC ID where the Security Group should be installed."
  type = string
}

The code works fine to spin up and tear down a basic security group, and passes most of the checks if you comment out the count in the calling module, or set it to zero.

My expected behavior would be the opposite of what's happening: that the checks would run if count is > 0, because a resource is being created, but the checks wouldn't run if the count is 0, since no resource is being created.

Using Checkov version 3.2.39

I found some comments from a while back that count hadn't been implemented in early version 2, but wasn't able to find anything current on this. I appreciate any help you can offer or any status updates on count.