checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

download external modules flag is not working when using framework terraform_plan

Open eldin66 opened this issue 3 years ago • 5 comments

Describe the issue When using the terraform_plan framework the checkov is throwing a warning saying that the external modules cannot be downloaded and asking to add the download external modules flag. However ever after adding that flag the downloads are not working fine but it seems to be working when using the framework terraform. Checkov version used 2.0.988

Example Value checkov -s --framework terraform_plan --quiet -f tf.json --repo-root-for-plan-enrichment . --download-external-modules true 2022-03-25 05:43:44,953 [MainThread ] [WARNI] Failed to download module terraform-google-modules/network/google (for external modules, the --download-external-modules flag is required) terraform_plan scan results:

Passed checks: 2, Failed checks: 1, Skipped checks: 0

Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"

eldin66 avatar Mar 25 '22 06:03 eldin66

The error is identical to the one reported in #2098. Apparently, #2118 didn't work for this specific issue.

saerosV avatar Mar 25 '22 14:03 saerosV

hi @eldin66 thanks for creating the issue, can you please also add your OS system info and which directory are you running it from (please remove any personal info, but things like spaces or special characters could be important)

gruebel avatar Mar 30 '22 23:03 gruebel

I believe this is the same issue that i'm having.

OS = OSX/google cloudbuild

Given the following TF code:

resource "google_project" "project_abc" {
  name                = "project-name-abc"
  project_id          = "project-name-abc-${random_string.project-suffix.result}"
  folder_id           = var.folder_id
  billing_account     = var.project_billing_account
  auto_create_network = false
}

resource "google_project_iam_audit_config" "audit_config_data" {
  project = google_project.project_abc.project_id
  service = "allServices"
  audit_log_config {
    log_type = "ADMIN_READ"
  }
  audit_log_config {
    log_type = "DATA_READ"
  }
}

Checkov will pass the two checks if you scan the directory.

❯ checkov -d .

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.0.1064

terraform scan results:

Passed checks: 2, Failed checks: 0, Skipped checks: 0

Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
	PASSED for resource: google_project.project_abc
	File: /main.tf:1-7
	Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
	PASSED for resource: google_project.project_abc
	File: /main.tf:1-7
	Guide: https://docs.bridgecrew.io/docs/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project

But if you follow the instructions on: https://www.checkov.io/2.Basics/Installing%20Checkov.html and scan the plan file, then CKV2_GCP_5 will fail.

❯ terraform plan -out tf.plan; terraform show -json tf.plan > tf.json; checkov -f tf.json
...
Saved the plan to: tf.plan

To perform exactly these actions, run the following command to apply:
    terraform apply "tf.plan"

       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By bridgecrew.io | version: 2.0.1064

terraform_plan scan results:

Passed checks: 1, Failed checks: 1, Skipped checks: 0

Check: CKV_GCP_27: "Ensure that the default network does not exist in a project"
	PASSED for resource: google_project.project_abc
	File: /tf.json:0-0
	Guide: https://docs.bridgecrew.io/docs/bc_gcp_networking_7
Check: CKV2_GCP_5: "Ensure that Cloud Audit Logging is configured properly across all services and all users from a project"
	FAILED for resource: google_project.project_abc
	File: /tf.json:0-0
	Guide: https://docs.bridgecrew.io/docs/ensure-that-cloud-audit-logging-is-configured-properly-across-all-services-and-all-users-from-a-project

We are currently just going to use the -d option for running our checks

infurio avatar Apr 14 '22 13:04 infurio

Hello, I am getting this same problem, running the command checkov -f tf.json --repo-root-for-plan-enrichment . --download-external-modules true I get alerts that it has failed to download the modules:

MainThread  ] [WARNI]  Failed to download module git::*****:None (for external modules, the --download-external-modules flag is required)

But if I run this other command: checkov -d . --download-external-modules True, it doesn't fail, it downloads the modules and runs the scan correctly.

I understand that this is not the expected result, any help to solve this?

Julmarcas avatar Jun 14 '22 16:06 Julmarcas

Hello, I am getting this same problem, running the command checkov -f tf.json --repo-root-for-plan-enrichment . --download-external-modules true I get alerts that it has failed to download the modules:

MainThread  ] [WARNI]  Failed to download module git::*****:None (for external modules, the --download-external-modules flag is required)

But if I run this other command: checkov -d . --download-external-modules True, it doesn't fail, it downloads the modules and runs the scan correctly.

I understand that this is not the expected result, any help to solve this?

I was able to replicate the same as you mentioned

coffeecoco avatar Nov 15 '22 00:11 coffeecoco

We are having the same issue with modules not being downloaded from our private repos by checkov.

I don't think this is an instance of #3355. We use a regular git monorepo for all of our modules, versioning them with tags that specify the module and version (e.g. mymodule/v1.0.0). We 'call' our modules via URLs that use the double forward slash to specify a subdirectory within the repo as below:

module "my_module" {
  source = "git::https://[email protected]/azdo_organization/terraform_modules/_git/terraform_modules//my-module?ref=my-module/v0.5.0"
  ...
}

ashleyghooper avatar Mar 18 '23 20:03 ashleyghooper

duplicate of #1665

fleroux514 avatar May 02 '23 21:05 fleroux514

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Oct 30 '23 02:10 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!

stale[bot] avatar Nov 14 '23 00:11 stale[bot]