kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

[Terraform] Add for_each support to prevent false positives

Open leandroyou opened this issue 2 years ago • 5 comments

Expected Behavior

Not throwing a Redis Publicly Accessible Vulnerability error when using a for_each on azurerm_redis_firewall_rule resource

Actual Behavior

Vulnerability Redis Publicly Accessible found on resource azurerm_redis_firewall_rule when using a for_each. If I remove the for_each from the azurerm_redis_firewall_rule resource and instantiate with the same IP defined on the redis variable the error will not show up. image

Steps to Reproduce the Problem

  1. Instantiate azurerm_redis_firewall_rule resource
  2. Use a for_each to dynamically create resources
  3. Set start_ip and end_ip to the for_each value using each.value 
locals {
  redis_allowed_ips = ["10.0.0.1"]
}

resource "azurerm_redis_cache" "redis" {
  name                = "redis"
  location            = "location"
  resource_group_name = "resource_group_name"
  capacity            = 1
  family              = "P"
  sku_name            = "Premium"

  redis_configuration {
  }
}

resource "azurerm_redis_firewall_rule" "firewall_rule" {
  for_each = local.redis_allowed_ips

  name                = "redis_firewall_rule_${replace(each.value, ".", "_")}"
  redis_cache_name    = azurerm_redis_cache.redis.name
  resource_group_name = "resource_group_name"
  start_ip            = each.value
  end_ip              = each.value
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.86.0"
    }
  }
}

Specifications

(N/A if not applicable)

  • Version: v1.5.5
  • Platform: Terraform
  • Subsystem: N/A

leandroyou avatar Apr 11 '22 11:04 leandroyou

I just noticed that in my example above I used locals but in my project I used variables. So this issue is not related with the problem.

A new example without locals:

variable redis_allowed_ips{
  type = set(string)
  default = ["10.0.0.1"]
}

resource "azurerm_redis_cache" "redis" {
  name                = "redis"
  location            = "location"
  resource_group_name = "resource_group_name"
  capacity            = 1
  family              = "P"
  sku_name            = "Premium"

  redis_configuration {
  }
}

resource "azurerm_redis_firewall_rule" "firewall_rule" {
  for_each = var.redis_allowed_ips

  name                = "redis_firewall_rule_${replace(each.value, ".", "_")}"
  redis_cache_name    = azurerm_redis_cache.redis.name
  resource_group_name = "resource_group_name"
  start_ip            = each.value
  end_ip              = each.value
}

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "=2.86.0"
    }
  }
}

leandroyou avatar Apr 12 '22 17:04 leandroyou

Hello @leandroyou, thank you for noticing that! You are correct, the problem here is that currently we do not support the for_each syntax, which gives you that false positive. We are currently researching to see if we can incorporate the for_each syntax in KICS.

cxAndreFelicidade avatar May 06 '22 11:05 cxAndreFelicidade

Hello @cxAndreFelicidade, thank you for the information, I will be waiting for an update.

leandroyou avatar May 10 '22 13:05 leandroyou

@cxAndreFelicidade I changed the issue title to prevent further duplicates such as #5312

leandroyou avatar May 10 '22 14:05 leandroyou

@leandroyou thank you for being so attentive!

cxAndreFelicidade avatar May 10 '22 14:05 cxAndreFelicidade

Currently we don't have any plans to support this.

anterosilva1985 avatar May 10 '24 09:05 anterosilva1985