kics icon indicating copy to clipboard operation
kics copied to clipboard

Published 20 hours ago verified publisher icon Checkmarx

ECR Repository Without Policy found when using for_each

Open noelmcgrath opened this issue 2 years ago • 1 comments

Expected Behavior

Not finding "ECR Repository Without Policy, Severity: LOW, Results: 1". Creation of many resources is common and for_each should be used for this instead of having to create each resource individually.

Actual Behavior

ECR Repository Without Policy, Severity: LOW, Results: 1 image

Steps to Reproduce the Problem

  1. Create aws_ecr_repository with and without for_each
  2. Run kics scan ( docker run -v D:\scm\non-product\aws\terraform\modules\ecrtest:/path checkmarx/kics scan -p "/path" -o "/path/" checkmarx/kics)
  3. Review result, aws_ecr_repository resource(one) with for_each has policy issues, aws_ecr_repository resource(second) without for_each has no policy issues,
terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "3.63"
    }
  }
}

provider "aws" {
  profile = "nonprod"
  region  = "eu-west-1"
}

variable "repository_names" {
  type        = list(string)
  description = "value"
  default     = ["repo1", "repo2"]
}

variable "repository_name" {
  type        = string
  description = "value"
  default     = "repo1"
}

variable "tags" {
  type        = map(string)
  description = "value"
  default     = { environment : "test", owner : "ops" }
}

resource "aws_ecr_repository" "one" {
  for_each = toset(var.repository_names)

  name                 = each.value
  image_tag_mutability = "IMMUTABLE"
  image_scanning_configuration {
    scan_on_push = true
  }
  encryption_configuration {
    encryption_type = "AES256"
  }

  tags = var.tags
}

resource "aws_ecr_repository_policy" "one" {
  for_each = toset(var.repository_names)

  repository = aws_ecr_repository.one[each.value].name
  policy     = data.aws_iam_policy_document.policy_document.json
}

resource "aws_ecr_repository" "second" {
  name                 = var.repository_name
  image_tag_mutability = "IMMUTABLE"
  image_scanning_configuration {
    scan_on_push = true
  }
  encryption_configuration {
    encryption_type = "AES256"
  }

  tags = var.tags
}


resource "aws_ecr_repository_policy" "second" {

  repository = aws_ecr_repository.second.name
  policy     = data.aws_iam_policy_document.policy_document.json
}


data "aws_iam_policy_document" "policy_document" {
  statement {
    sid    = "ecr_read_write_permissions"
    effect = "Allow"
    actions = [
      "ecr:PutImage",
    ]

    principals {
      identifiers = ["user arn"]
      type        = "AWS"
    }
  }
}

Specifications

(N/A if not applicable)

  • Version: v1.5.5
  • Platform: Terraform
  • Subsystem:

noelmcgrath avatar May 05 '22 14:05 noelmcgrath

Hello @noelmcgrath , thank you for noticing that! You are correct, the problem here is that currently we do not support the for_each syntax, which gives you that false positive. We are currently researching to see if we can incorporate the for_each syntax in KICS.

cxAndreFelicidade avatar May 06 '22 11:05 cxAndreFelicidade

Currently we don't have any plans in order to support the for_each syntax.

anterosilva1985 avatar May 10 '24 09:05 anterosilva1985