checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Checkov does not evaluate Terraform dynamic blocks

Open andrea-defraia opened this issue 3 years ago • 5 comments

I misunderstood the issue, the issue is due to checkov not evaluating dynamic blocks Originally posted by @daniel-shuy in https://github.com/bridgecrewio/checkov/issues/1812#issuecomment-948793631

I'm using checkov on modules, in particular using GH action:

      - name: Checkov security scan for Modules
        id: checkov
        uses: bridgecrewio/checkov-action@master
        with:
          directory: ${{matrix.modules}}
          quiet: true
          soft_fail: false
          framework: terraform

This fails on every resource that has a security feature set as dynamic block, like dynamic "encryption... or dynamic "logging" etc etc. Even if the variables that govern those dynamic blocks default to "encrypt = true" or "enable_logging" and so on.

Example with S3 resource:

resource "aws_s3_bucket" "main" {
...
  dynamic "versioning" {
    for_each = length(keys(var.versioning)) == 0 ? [] : [var.versioning]

    content {
      enabled    = lookup(versioning.value, "enabled", null)
      mfa_delete = lookup(versioning.value, "mfa_delete", null)
    }
  }


variable "versioning" {
  description = "Map containing versioning configuration."
  type        = map(string)
  default = {
    enabled = true
  }
}

The only way to have the builds succeed, is to add #checkov:skip=CKV_AWS_21: Versioning is enabled, but dynamic to the resource. However, if someone in a PR edits the default variable values, versioning will be disabled and the builds will succeed. How can I have my builds run successfully only when versioning is actually enabled by default, AND dynamic? Same goes for logging, encryption, monitoring, backups... and a lot of similar settings that are done via dynamic blocks

andrea-defraia avatar Nov 22 '21 10:11 andrea-defraia

I just ran into this issue myself.

cochrasc avatar Jan 24 '22 21:01 cochrasc

Same issue here ☹️

dfrkp avatar May 14 '22 06:05 dfrkp

I also just ran into this issue - does anyone know of any workarounds or whether dynamic block support is on the roadmap?

deding avatar Jun 20 '22 14:06 deding

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Dec 18 '22 01:12 stale[bot]

Bump

joemccall86 avatar Dec 18 '22 01:12 joemccall86

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jun 16 '23 22:06 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jul 01 '23 23:07 stale[bot]