checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

False Positives on GCP Checks Using VPC Module

Open andrea-armstrong opened this issue 3 years ago • 2 comments

Describe the issue Using the GCP VPC module shows two checks failing regardless of the inputs of the actual module variables.

Checks: CKV_GCP_74 CKV_GCP_76

Examples

Module:

module "vpc" {
  source  = "terraform-google-modules/network/google"
  version = "~> 3.0"

  project_id   = data.terraform_remote_state.project.outputs.project_id
  network_name = data.terraform_remote_state.project.outputs.project_id
  routing_mode = "GLOBAL"

  subnets = [
    {
      description           = "subnet-k8s"
      subnet_ip             = "192.168.0.0/22" # 1,024
      subnet_name           = "subnet-k8s"
      subnet_private_access = true
      subnet_region         = data.terraform_remote_state.project.outputs.region
    },
  ]

Following checkov failures:

Check: CKV_GCP_74: "Ensure that private_ip_google_access is enabled for Subnet"
        FAILED for resource: google_compute_subnetwork.subnetwork

Check: CKV_GCP_76: "Ensure that Private google access is enabled for IPV6"
        FAILED for resource: google_compute_subnetwork.subnetwork

I would expect these to pass given that subnet_private_access is set to true.

Version (please complete the following information):

  • Checkov Version 2.1.65

andrea-armstrong avatar Jul 21 '22 13:07 andrea-armstrong

the code in the download module private_ip_google_access = lookup(each.value, "subnet_private_access", "false") , @gruebel are lookups supported?

JamesWoolfenden avatar Jul 27 '22 12:07 JamesWoolfenden

@JamesWoolfenden yeah, we do, but I think the problem actually lies in the for_each which we don't support.

gruebel avatar Jul 27 '22 15:07 gruebel

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Feb 18 '23 21:02 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Mar 04 '23 22:03 stale[bot]