trivy
trivy copied to clipboard
Published
4 weeks ago
•
aquasecurity
aquasecurity
bug(misconf): false negative avd-gcp-0056 with terraform dynamic blocks
Example:
locals {
cluster_network_policy = [{
enabled = true
}]
}
resource "google_container_cluster" "primary" {
name = "test"
dynamic "network_policy" {
for_each = local.cluster_network_policy
content {
enabled = network_policy.value.enabled
}
}
}
Discussed in https://github.com/aquasecurity/trivy/discussions/5868
Originally posted by pawelmrowka January 4, 2024
IDs
avd-gcp-0056
Description
Trivy incorrectly detects avd-gcp-0056 when using gke terraform module:
https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master#usage
probably due to the use of dynamic block
We found simillar issue with: https://github.com/terraform-google-modules/terraform-google-sql-db/tree/v18.1.0/modules/mysql and:
AVD-GCP-0015 - dynamic "ip_configuration"
AVD-GCP-0024 - dynamic "backup_configuration"
Reproduction Steps
1. Copy usage example from https://github.com/terraform-google-modules/terraform-google-kubernetes-engine/tree/master#usage to main.tf
2. Run trivy fs --skip-dirs .terraform --scanners misconfig . You will find avd-gcp-0056 among the vulnerabilities (that's good)
3. Change in main.tf:
network_policy = false
to
network_policy = true
4. Rerun trivy fs --skip-dirs .terraform --scanners misconfig . You will find avd-gcp-0056 among the vulnerabilities (that's not good)
...
Target
Filesystem
Scanner
Misconfiguration
Target OS
No response
Debug Output
$ trivy fs --skip-dirs .terraform --scanners misconfig . --debug
2024-01-04T09:27:45.522+0100 DEBUG Severities: ["UNKNOWN" "LOW" "MEDIUM" "HIGH" "CRITICAL"]
2024-01-04T09:27:45.522+0100 DEBUG Ignore statuses {"statuses": null}
2024-01-04T09:27:45.526+0100 DEBUG cache dir: /home/ant/.cache/trivy
2024-01-04T09:27:45.526+0100 INFO Misconfiguration scanning is enabled
2024-01-04T09:27:45.526+0100 DEBUG Policies successfully loaded from disk
2024-01-04T09:27:45.526+0100 DEBUG Enabling misconfiguration scanners: [azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan]
2024-01-04T09:27:45.534+0100 DEBUG The nuget packages directory couldn't be found. License search disabled
2024-01-04T09:27:45.537+0100 DEBUG Walk the file tree rooted at '.' in parallel
2024-01-04T09:27:45.537+0100 DEBUG Skipping directory: .terraform
2024-01-04T09:27:45.537+0100 DEBUG Scanning Terraform files for misconfigurations...
2024-01-04T09:27:45.537+0100 DEBUG [misconf] 27:45.537375968 terraform.scanner Scanning [&{%!s(*mapfs.file=&{ [] {. 256 2147484096 {13933496095977458232 454427664 0x55c676d4ae60} <nil>} {{{0 0} {[] {} 0xc002c2d930} map[main.tf:0xc00292ef80] 0}}}) .}] at '.'...
2024-01-04T09:27:45.538+0100 DEBUG [misconf] 27:45.538990079 terraform.scanner.rego Overriding filesystem for policies!
2024-01-04T09:27:45.576+0100 DEBUG [misconf] 27:45.576125176 terraform.scanner.rego Loaded 188 policies from disk.
2024-01-04T09:27:45.576+0100 DEBUG [misconf] 27:45.576481761 terraform.scanner.rego Overriding filesystem for data!
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929362309 terraform.scanner Scanning root module '.'...
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929402260 terraform.parser.<root> Setting project/module root to '.'
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929406269 terraform.parser.<root> Parsing FS from '.'
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929423586 terraform.parser.<root> Parsing 'main.tf'...
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929744076 terraform.parser.<root> Added file main.tf.
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929754445 terraform.parser.<root> Evaluating module...
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929931256 terraform.parser.<root> Read 3 block(s) and 0 ignore(s) for module 'root' (1 file[s])...
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929944857 terraform.parser.<root> Added 0 variables from tfvars.
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929951238 terraform.parser.<root> Error loading module metadata: open .terraform/modules/modules.json: file does not exist.
2024-01-04T09:27:45.929+0100 DEBUG [misconf] 27:45.929978016 terraform.parser.<root> Working directory for module evaluation is '/home/ant/tmp/trivy-test'
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930016027 terraform.parser.<root>.evaluator Filesystem key is '5cfd7fbf905e60ef985cc7cb06ed1f76cbf8c7283d6227ede0f38226d4cc6fb2'
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930022626 terraform.parser.<root>.evaluator Starting module evaluation...
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930145799 terraform.parser.<root>.evaluator Starting submodule evaluation...
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930155531 terraform.parser.<root>.evaluator locating non-initialised module 'terraform-google-modules/kubernetes-engine/google'...
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930162263 terraform.parser.<root>.evaluator.resolver Resolving module 'module.gke' with source: 'terraform-google-modules/kubernetes-engine/google'...
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930194286 terraform.parser.<root>.evaluator.resolver Trying to resolve: 8956e3d78c99f74ad536984693efa725
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930209483 terraform.parser.<root>.evaluator.resolver Module 'module.gke' resolving via cache...
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930214894 terraform.parser.<root>.evaluator.resolver Module path is .
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930220257 terraform.parser.<root>.evaluator Module 'module.gke' resolved to path '.' in filesystem '/tmp/.aqua/cache/8956e3d78c99f74ad536984693efa725' with prefix 'terraform-google-modules/kubernetes-engine/google'
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930225221 terraform.parser.<gke> Parsing FS from '.'
2024-01-04T09:27:45.930+0100 DEBUG [misconf] 27:45.930293747 terraform.parser.<gke> Parsing 'cluster.tf'...
2024-01-04T09:27:45.934+0100 DEBUG [misconf] 27:45.934666237 terraform.parser.<gke> Added file cluster.tf.
2024-01-04T09:27:45.934+0100 DEBUG [misconf] 27:45.934853574 terraform.parser.<gke> Parsing 'dns.tf'...
2024-01-04T09:27:45.935+0100 DEBUG [misconf] 27:45.935385165 terraform.parser.<gke> Added file dns.tf.
2024-01-04T09:27:45.935+0100 DEBUG [misconf] 27:45.935477193 terraform.parser.<gke> Parsing 'firewall.tf'...
2024-01-04T09:27:45.936+0100 DEBUG [misconf] 27:45.936622152 terraform.parser.<gke> Added file firewall.tf.
2024-01-04T09:27:45.936+0100 DEBUG [misconf] 27:45.936641734 terraform.parser.<gke> Parsing 'main.tf'...
2024-01-04T09:27:45.937+0100 DEBUG [misconf] 27:45.937610716 terraform.parser.<gke> Added file main.tf.
2024-01-04T09:27:45.937+0100 DEBUG [misconf] 27:45.937619887 terraform.parser.<gke> Parsing 'masq.tf'...
2024-01-04T09:27:45.937+0100 DEBUG [misconf] 27:45.937744945 terraform.parser.<gke> Added file masq.tf.
2024-01-04T09:27:45.937+0100 DEBUG [misconf] 27:45.937750042 terraform.parser.<gke> Parsing 'networks.tf'...
2024-01-04T09:27:45.937+0100 DEBUG [misconf] 27:45.937812794 terraform.parser.<gke> Added file networks.tf.
2024-01-04T09:27:45.937+0100 DEBUG [misconf] 27:45.937817569 terraform.parser.<gke> Parsing 'outputs.tf'...
2024-01-04T09:27:45.938+0100 DEBUG [misconf] 27:45.938258644 terraform.parser.<gke> Added file outputs.tf.
2024-01-04T09:27:45.938+0100 DEBUG [misconf] 27:45.938263801 terraform.parser.<gke> Parsing 'sa.tf'...
2024-01-04T09:27:45.938+0100 DEBUG [misconf] 27:45.938524427 terraform.parser.<gke> Added file sa.tf.
2024-01-04T09:27:45.938+0100 DEBUG [misconf] 27:45.938529033 terraform.parser.<gke> Parsing 'variables.tf'...
2024-01-04T09:27:45.940+0100 DEBUG [misconf] 27:45.940644281 terraform.parser.<gke> Added file variables.tf.
2024-01-04T09:27:45.940+0100 DEBUG [misconf] 27:45.940652717 terraform.parser.<gke> Parsing 'variables_defaults.tf'...
2024-01-04T09:27:45.941+0100 DEBUG [misconf] 27:45.941019810 terraform.parser.<gke> Added file variables_defaults.tf.
2024-01-04T09:27:45.941+0100 DEBUG [misconf] 27:45.941027180 terraform.parser.<gke> Parsing 'versions.tf'...
2024-01-04T09:27:45.941+0100 DEBUG [misconf] 27:45.941134168 terraform.parser.<gke> Added file versions.tf.
2024-01-04T09:27:45.941+0100 DEBUG [misconf] 27:45.941140685 terraform.parser.<root>.evaluator Loaded module 'gke' from '.'.
2024-01-04T09:27:45.941+0100 DEBUG [misconf] 27:45.941144713 terraform.parser.<gke> Evaluating module...
2024-01-04T09:27:45.948+0100 DEBUG [misconf] 27:45.948504016 terraform.parser.<gke> Read 147 block(s) and 0 ignore(s) for module 'gke' (11 file[s])...
2024-01-04T09:27:45.948+0100 DEBUG [misconf] 27:45.948601872 terraform.parser.<gke> Added 20 input variables from module definition.
2024-01-04T09:27:45.948+0100 DEBUG [misconf] 27:45.948625918 terraform.parser.<gke> Error loading module metadata: open .terraform/modules/modules.json: no such file or directory.
2024-01-04T09:27:45.948+0100 DEBUG [misconf] 27:45.948637309 terraform.parser.<gke> Working directory for module evaluation is '/home/ant/tmp/trivy-test'
2024-01-04T09:27:45.948+0100 DEBUG [misconf] 27:45.948738617 terraform.parser.<gke>.evaluator Filesystem key is '68c564a2c81e99e8adfd4aeffc0ccd21b8e8a0155d140e7bc0d5805478113aca'
2024-01-04T09:27:45.948+0100 DEBUG [misconf] 27:45.948743646 terraform.parser.<gke>.evaluator Starting module evaluation...
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957527024 terraform.parser.<gke>.evaluator Expanded block 'data.google_compute_subnetwork.gke_subnetwork' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957567099 terraform.parser.<gke>.evaluator Expanded block 'data.google_compute_zones.available' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957595522 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.intra_egress' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957610409 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.master_webhooks' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957622133 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_allow_inkubelet' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957633288 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_allow_master' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957644178 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_allow_nodes' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957654464 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_allow_pods' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957664719 terraform.parser.<gke>.evaluator Expanded block 'google_compute_firewall.shadow_deny_exkubelet' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957741860 terraform.parser.<gke>.evaluator Expanded block 'google_project_iam_member.cluster_service_account-nodeService_account' into 1 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957792050 terraform.parser.<gke>.evaluator Expanded block 'google_service_account.cluster_service_account' into 1 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957800870 terraform.parser.<gke>.evaluator Expanded block 'kubernetes_config_map.ip-masq-agent' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957814441 terraform.parser.<gke>.evaluator Expanded block 'kubernetes_config_map_v1_data.kube-dns' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957826348 terraform.parser.<gke>.evaluator Expanded block 'kubernetes_config_map_v1_data.kube-dns-upstream-nameservers-and-stub-domains' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957840649 terraform.parser.<gke>.evaluator Expanded block 'kubernetes_config_map_v1_data.kube-dns-upstream-namservers' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.957+0100 DEBUG [misconf] 27:45.957852263 terraform.parser.<gke>.evaluator Expanded block 'random_shuffle.available_zones' into 0 clones via 'count' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958256665 terraform.parser.<gke>.evaluator Expanded block 'google_container_node_pool.pools' into 1 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958267846 terraform.parser.<gke>.evaluator Expanded block 'google_container_node_pool.windows_pools' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958317380 terraform.parser.<gke>.evaluator Expanded block 'google_project_iam_member.cluster_service_account-artifact-registry' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958339932 terraform.parser.<gke>.evaluator Expanded block 'google_project_iam_member.cluster_service_account-gcr' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958355804 terraform.parser.<gke>.evaluator Expanded block 'dynamic.auto_provisioning_defaults' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958364902 terraform.parser.<gke>.evaluator Expanded block 'dynamic.resource_limits' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958394488 terraform.parser.<gke>.evaluator "for_each" argument is invalid: arg is null
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958401834 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958408833 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958418495 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcs_fuse_csi_driver_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958435166 terraform.parser.<gke>.evaluator Expanded block 'dynamic.additional_pod_ranges_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958473238 terraform.parser.<gke>.evaluator "for_each" argument is invalid: arg is null
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958482463 terraform.parser.<gke>.evaluator Expanded block 'dynamic.recurring_window' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958488117 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of number type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958497472 terraform.parser.<gke>.evaluator Expanded block 'dynamic.maintenance_exclusion' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958525312 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcfs_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958550850 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gvnic' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958555955 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958563262 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958569395 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958583364 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gateway_api_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958598923 terraform.parser.<gke>.evaluator Expanded block 'dynamic.cost_management_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958618725 terraform.parser.<gke>.evaluator Expanded block 'dynamic.logging_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958637837 terraform.parser.<gke>.evaluator Expanded block 'dynamic.monitoring_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958657585 terraform.parser.<gke>.evaluator Expanded block 'dynamic.binary_authorization' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958673468 terraform.parser.<gke>.evaluator Expanded block 'dynamic.master_authorized_networks_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958692602 terraform.parser.<gke>.evaluator Expanded block 'dynamic.service_external_ips_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958732162 terraform.parser.<gke>.evaluator Expanded block 'dynamic.dns_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958769034 terraform.parser.<gke>.evaluator Expanded block 'dynamic.resource_usage_export_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958774382 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958780190 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958786995 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958805804 terraform.parser.<gke>.evaluator Expanded block 'dynamic.authenticator_groups_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958844878 terraform.parser.<gke>.evaluator Expanded block 'dynamic.blue_green_settings' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958880261 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gpu_driver_installation_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958917447 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcfs_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958951904 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gvnic' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.958+0100 DEBUG [misconf] 27:45.958968124 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959008295 terraform.parser.<gke>.evaluator Expanded block 'dynamic.guest_accelerator' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959013366 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959050252 terraform.parser.<gke>.evaluator Expanded block 'dynamic.linux_node_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959067132 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of map of string type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959104632 terraform.parser.<gke>.evaluator Expanded block 'dynamic.auto_provisioning_defaults' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959124879 terraform.parser.<gke>.evaluator Expanded block 'dynamic.resource_limits' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959153586 terraform.parser.<gke>.evaluator "for_each" argument is invalid: arg is null
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959159653 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959163896 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959183763 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcs_fuse_csi_driver_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959210958 terraform.parser.<gke>.evaluator Expanded block 'dynamic.additional_pod_ranges_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959249004 terraform.parser.<gke>.evaluator "for_each" argument is invalid: arg is null
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959269774 terraform.parser.<gke>.evaluator Expanded block 'dynamic.recurring_window' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959274831 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of number type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959296310 terraform.parser.<gke>.evaluator Expanded block 'dynamic.maintenance_exclusion' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959332379 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcfs_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959368078 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gvnic' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959372750 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959378572 terraform.parser.<gke>.evaluator "for_each" argument is invalid: tuple type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959383458 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959402447 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gateway_api_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959426601 terraform.parser.<gke>.evaluator Expanded block 'dynamic.cost_management_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959453045 terraform.parser.<gke>.evaluator Expanded block 'dynamic.logging_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959477963 terraform.parser.<gke>.evaluator Expanded block 'dynamic.monitoring_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959501315 terraform.parser.<gke>.evaluator Expanded block 'dynamic.binary_authorization' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959530594 terraform.parser.<gke>.evaluator Expanded block 'dynamic.master_authorized_networks_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959553456 terraform.parser.<gke>.evaluator Expanded block 'dynamic.service_external_ips_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959579794 terraform.parser.<gke>.evaluator Expanded block 'dynamic.dns_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959615992 terraform.parser.<gke>.evaluator Expanded block 'dynamic.resource_usage_export_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959620995 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959626944 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959631381 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959651651 terraform.parser.<gke>.evaluator Expanded block 'dynamic.authenticator_groups_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959689410 terraform.parser.<gke>.evaluator Expanded block 'dynamic.blue_green_settings' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.959+0100 DEBUG [misconf] 27:45.959725819 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gpu_driver_installation_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962670231 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gcfs_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962721580 terraform.parser.<gke>.evaluator Expanded block 'dynamic.gvnic' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962743074 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962796711 terraform.parser.<gke>.evaluator Expanded block 'dynamic.guest_accelerator' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962803415 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of object type is not supported: arg is not set or map
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962843477 terraform.parser.<gke>.evaluator Expanded block 'dynamic.linux_node_config' into 0 clones via 'for_each' attribute.
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962861463 terraform.parser.<gke>.evaluator "for_each" argument is invalid: list of map of string type is not supported: arg is not set or map
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962866678 terraform.parser.<gke>.evaluator Starting submodule evaluation...
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962875480 terraform.parser.<gke>.evaluator Finished processing 0 submodule(s).
2024-01-04T09:27:45.962+0100 DEBUG [misconf] 27:45.962879947 terraform.parser.<gke>.evaluator Starting post-submodule evaluation...
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968110877 terraform.parser.<gke>.evaluator Module evaluation complete.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968147091 terraform.parser.<gke> Finished parsing module 'gke'.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968154305 terraform.parser.<gke>.evaluator Added module output ca_certificate=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968159419 terraform.parser.<gke>.evaluator Added module output cluster_id=cty.StringVal("4898783e-589a-4173-94f7-b10c2f9e5944").
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968163469 terraform.parser.<gke>.evaluator Added module output endpoint=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968184943 terraform.parser.<gke>.evaluator Added module output gateway_api_channel=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968189081 terraform.parser.<gke>.evaluator Added module output horizontal_pod_autoscaling_enabled=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968193984 terraform.parser.<gke>.evaluator Added module output http_load_balancing_enabled=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968209331 terraform.parser.<gke>.evaluator Added module output identity_namespace=cty.StringVal("<PROJECT ID>.svc.id.goog").
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968219467 terraform.parser.<gke>.evaluator Added module output instance_group_urls=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968224491 terraform.parser.<gke>.evaluator Added module output location=cty.StringVal("us-central1").
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968228909 terraform.parser.<gke>.evaluator Added module output logging_service=cty.StringVal("logging.googleapis.com/kubernetes").
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968235215 terraform.parser.<gke>.evaluator Added module output master_authorized_networks_config=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968245298 terraform.parser.<gke>.evaluator Added module output master_version=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968276067 terraform.parser.<gke>.evaluator Added module output mesh_certificates_config=cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"enable_certificates":cty.False})}).
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968281158 terraform.parser.<gke>.evaluator Added module output min_master_version=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968286510 terraform.parser.<gke>.evaluator Added module output monitoring_service=cty.StringVal("monitoring.googleapis.com/kubernetes").
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968291995 terraform.parser.<gke>.evaluator Added module output name=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968296564 terraform.parser.<gke>.evaluator Added module output network_policy_enabled=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968303244 terraform.parser.<gke>.evaluator Added module output node_pools_names=cty.TupleVal([]cty.Value{cty.StringVal("default-node-pool"), cty.StringVal(""), cty.StringVal("")}).
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968310225 terraform.parser.<gke>.evaluator Added module output node_pools_versions=cty.ObjectVal(map[string]cty.Value{"default-node-pool":cty.StringVal("")}).
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968315902 terraform.parser.<gke>.evaluator Added module output region=cty.StringVal("us-central1").
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968320673 terraform.parser.<gke>.evaluator Added module output release_channel=cty.StringVal("REGULAR").
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968325345 terraform.parser.<gke>.evaluator Added module output service_account=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968330369 terraform.parser.<gke>.evaluator Added module output type=cty.StringVal("regional").
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968335212 terraform.parser.<gke>.evaluator Added module output vertical_pod_autoscaling_enabled=cty.NilVal.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968342589 terraform.parser.<gke>.evaluator Added module output zones=cty.ListVal([]cty.Value{cty.StringVal("us-central1-a"), cty.StringVal("us-central1-b"), cty.StringVal("us-central1-f")}).
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968355319 terraform.parser.<root>.evaluator Finished processing 1 submodule(s).
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968359018 terraform.parser.<root>.evaluator Starting post-submodule evaluation...
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968421341 terraform.parser.<root>.evaluator Module evaluation complete.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968426201 terraform.parser.<root> Finished parsing module 'root'.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968433554 terraform.executor Adapting modules...
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968797011 terraform.executor Adapted 2 module(s) into defsec state data.
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968806766 terraform.executor Using max routines of 7
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968810268 terraform.executor Applying state modifier functions...
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968875483 terraform.executor Initialised 484 rule(s).
2024-01-04T09:27:45.968+0100 DEBUG [misconf] 27:45.968879578 terraform.executor Created pool with 7 worker(s) to apply rules.
2024-01-04T09:27:45.969+0100 DEBUG [misconf] 27:45.969859471 terraform.scanner.rego Scanning 1 inputs...
2024-01-04T09:27:45.981+0100 DEBUG [misconf] 27:45.981384167 terraform.executor Finished applying rules.
2024-01-04T09:27:45.981+0100 DEBUG [misconf] 27:45.981413156 terraform.executor Applying ignores...
2024-01-04T09:27:46.024+0100 DEBUG OS is not detected.
2024-01-04T09:27:46.024+0100 INFO Detected config files: 3
2024-01-04T09:27:46.024+0100 DEBUG Scanned config file: .
2024-01-04T09:27:46.024+0100 DEBUG Scanned config file: terraform-google-modules/kubernetes-engine/google/cluster.tf
2024-01-04T09:27:46.024+0100 DEBUG Scanned config file: terraform-google-modules/kubernetes-engine/google/sa.tf
terraform-google-modules/kubernetes-engine/google/cluster.tf (terraform)
Tests: 18 (SUCCESSES: 12, FAILURES: 6, EXCEPTIONS: 0)
Failures: 6 (UNKNOWN: 0, LOW: 1, MEDIUM: 2, HIGH: 3, CRITICAL: 0)
LOW: Cluster does not use GCE resource labels.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Labels make it easier to manage assets and differentiate between clusters and environments, allowing the mapping of computational resources to the wider organisational structure.
See https://avd.aquasec.com/misconfig/avd-gcp-0051
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
terraform-google-modules/kubernetes-engine/google/cluster.tf:28
via terraform-google-modules/kubernetes-engine/google/cluster.tf:22-393 (google_container_cluster.primary)
via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
22 resource "google_container_cluster" "primary" {
..
28 [ resource_labels = var.cluster_resource_labels
...
393 }
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
MEDIUM: Cluster does not have a network policy enabled.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling a network policy allows the segregation of network traffic by namespace
See https://avd.aquasec.com/misconfig/avd-gcp-0056
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
terraform-google-modules/kubernetes-engine/google/cluster.tf:22-393
via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
22 ┌ resource "google_container_cluster" "primary" {
23 │ provider = google
24 │
25 │ name = var.name
26 │ description = var.description
27 │ project = var.project_id
28 │ resource_labels = var.cluster_resource_labels
29 │
30 └ location = local.location
..
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: Cluster exposes node metadata of pools by default.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
If the <code>workload_metadata_config</code> block within <code>node_config</code> is included, the <code>node_metadata</code> attribute should be configured securely.
The attribute should be set to <code>SECURE</code> to use metadata concealment, or <code>GKE_METADATA_SERVER</code> if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.
See https://avd.aquasec.com/misconfig/avd-gcp-0057
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
terraform-google-modules/kubernetes-engine/google/cluster.tf:460-578
via terraform-google-modules/kubernetes-engine/google/cluster.tf:397-591 (google_container_node_pool.pools["default-node-pool"])
via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
397 resource "google_container_node_pool" "pools" {
...
460 ┌ node_config {
461 │ image_type = lookup(each.value, "image_type", "COS_CONTAINERD")
462 │ machine_type = lookup(each.value, "machine_type", "e2-medium")
463 │ min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
464 │ dynamic "gcfs_config" {
465 │ for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
466 └ content {
...
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: Node pool exposes node metadata.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
If the <code>workload_metadata_config</code> block within <code>node_config</code> is included, the <code>node_metadata</code> attribute should be configured securely.
The attribute should be set to <code>SECURE</code> to use metadata concealment, or <code>GKE_METADATA_SERVER</code> if workload identity is enabled. This ensures that the VM metadata is not unnecessarily exposed to pods.
See https://avd.aquasec.com/misconfig/avd-gcp-0057
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
terraform-google-modules/kubernetes-engine/google/cluster.tf:460-578
via terraform-google-modules/kubernetes-engine/google/cluster.tf:397-591 (google_container_node_pool.pools["default-node-pool"])
via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
397 resource "google_container_node_pool" "pools" {
...
460 ┌ node_config {
461 │ image_type = lookup(each.value, "image_type", "COS_CONTAINERD")
462 │ machine_type = lookup(each.value, "machine_type", "e2-medium")
463 │ min_cpu_platform = lookup(each.value, "min_cpu_platform", "")
464 │ dynamic "gcfs_config" {
465 │ for_each = lookup(each.value, "enable_gcfs", false) ? [true] : []
466 └ content {
...
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
MEDIUM: Cluster does not have private nodes.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling private nodes on a cluster ensures the nodes are only available internally as they will only be assigned internal addresses.
See https://avd.aquasec.com/misconfig/avd-gcp-0059
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
terraform-google-modules/kubernetes-engine/google/cluster.tf:22-393
via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
22 ┌ resource "google_container_cluster" "primary" {
23 │ provider = google
24 │
25 │ name = var.name
26 │ description = var.description
27 │ project = var.project_id
28 │ resource_labels = var.cluster_resource_labels
29 │
30 └ location = local.location
..
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
HIGH: Cluster does not have master authorized networks enabled.
════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Enabling authorized networks means you can restrict master access to a fixed set of CIDR ranges
See https://avd.aquasec.com/misconfig/avd-gcp-0061
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
terraform-google-modules/kubernetes-engine/google/cluster.tf:22-393
via main.tf:10-90 (module.gke)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
22 ┌ resource "google_container_cluster" "primary" {
23 │ provider = google
24 │
25 │ name = var.name
26 │ description = var.description
27 │ project = var.project_id
28 │ resource_labels = var.cluster_resource_labels
29 │
30 └ location = local.location
..
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Version
$ trivy --version
Version: dev
Vulnerability DB:
Version: 2
UpdatedAt: 2024-01-04 06:12:51.526611719 +0000 UTC
NextUpdate: 2024-01-04 12:12:51.526611448 +0000 UTC
DownloadedAt: 2024-01-04 07:57:12.926444486 +0000 UTC
Policy Bundle:
Digest: sha256:8bfc31f3e4301ef758b6793a07e0b12b4306e0b54d03a640efb2ff5e5ef29b9e
DownloadedAt: 2024-01-03 11:44:59.83336388 +0000 UTC
Checklist
- [X] Read the documentation regarding wrong detection
- [X] Ran Trivy with
-f jsonthat shows data sources and confirmed that the security advisory in data sources was correct
