checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Unable to check Terraform resources dependencies created with a for_each loop

Open xdavietpro opened this issue 2 years ago • 2 comments

Hello

My goal

Checking that any Azure subnet is protected with a custom security group

Terraform code

resource "azurerm_subnet" "snet" {
  for_each = local.subnets
   ... 
}

resource "azurerm_network_security_group" "nsg" {
  for_each = local.subnets
  ...
}

resource "azurerm_subnet_network_security_group_association" "nsgass" {
  for_each = local.subnets

  subnet_id                 = azurerm_subnet.snet["${each.key}"].id
  network_security_group_id = azurerm_network_security_group.nsg["${each.key}"].id
}

Additional info

Terraform local.subnets variable is a dictionnary containing something like this

{
  0 : "a.b.c.0/25"
  1 : "a.b.c.128/25"
}

Checkov custom policy definition

definition:
 and:
  - cond_type: "filter"
    attribute: "resource_type"
    value:
      - "azurerm_subnet"
    operator: "within"
  - cond_type: "connection"
    resource_types:
      - "azurerm_subnet"
    connected_resource_types:
      - "azurerm_subnet_network_security_group_association"
    operator: "exists"

Checkov error message

FAILED for resource: azurerm_subnet.snet

Checkov version : 2.0.929

xdavietpro avatar Mar 09 '22 16:03 xdavietpro

Would like to add that this is important to be able to scan the code for this. Could someone from the product/dev team give a comment on this and an idea on if/when this will be fixed?

thanks in advance

cba-mt avatar Aug 29 '22 09:08 cba-mt

I think it might be better to run this against a json version of the tfplan.

terraform plan -out=FILE.tfplan
terraform show -json FILE.tfplan > FILE.json
checkov -f FILE.json

this appears to work for me. I'll run more detailed tests tomorrow.

cba-mt avatar Aug 29 '22 18:08 cba-mt

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Feb 26 '23 04:02 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Mar 12 '23 09:03 stale[bot]