search

bridgecrewio / checkov

Prevent cloud misconfigurations and find vulnerabilities during build-time in infrastructure as code, container images and open source packages with Checkov by Bridgecrew.
https://www.checkov.io/
Apache License 2.0
6.71k stars 1.08k forks source link

CKV_GCP_76 errors when stack_type not present. #6425

Open daveS2 opened 2 weeks ago

daveS2 commented 2 weeks ago

Describe the issue Check CKV_GCP_76 will error if stack_type is not present. For example the default stack_type is IPV4_ONLY however checkov will error with a CKV_GCP_76. But when I specifically set the default stack_type in my IAC I no longer get the issue. I would expect by default if no stack_type is specified then CKV_GCP_76 should not be checked.

Examples

resource "google_compute_subnetwork" "subnetwork" {
  name                     = "name"
  ip_cidr_range            = "10.0.0.0/28"
  network                  = google_compute_network.vpc.self_link
  region                   = var.region
  private_ip_google_access = true
}

Results in

    FAILED for resource: google_compute_subnetwork.subnetwork
    File: /vpc.tf:27-40
    Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/google-cloud-policies/google-cloud-networking-policies/ensure-gcp-private-google-access-is-enabled-for-ipv6

        27 | resource "google_compute_subnetwork" "subnetwork" {
        28 |   name                     = "name"
        29 |   ip_cidr_range            = "10.0.0.0/28"
        30 |   network                  = google_compute_network.vpc.self_link
        31 |   region                   = var.region
        32 |   private_ip_google_access = true
        33 | 
        34 |   log_config {
        35 |     aggregation_interval = "INTERVAL_15_MIN"
        36 |     flow_sampling        = 0.5 
        37 |     metadata             = "INCLUDE_ALL_METADATA"
        38 |   }
        39 | 
        40 | }

And

resource "google_compute_subnetwork" "subnetwork" {
  name                     = "name"
  ip_cidr_range            = "10.0.0.0/28"
  network                  = google_compute_network.vpc.self_link
  region                   = var.region
  stack_type               = "IPV4_ONLY"
  private_ip_google_access = true

  log_config {
    aggregation_interval = "INTERVAL_15_MIN"
    flow_sampling        = 0.5 
    metadata             = "INCLUDE_ALL_METADATA"
  }

}

Results in no check being undertaken

Version (please complete the following information): 3.2.130

Additional context