checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

some check are not working as expected when use terraform aws modules

Open pgiovio-pomelo opened this issue 2 years ago • 3 comments

Describe the issue

I'm having problems with some checks such as CKV_AWS_79 or CKV_AWS_8 when I scan a EC2 instance resource using a AWS external module.

Examples

module "ec2_instance" {
  source  = "terraform-aws-modules/ec2-instance/aws"
  version = "~> 4.0"

  name = "single-instance"

  ami                    = "ami-ebd02392"
  instance_type          = "t2.micro"
  key_name               = "user1"
  monitoring             = true
  vpc_security_group_ids = ["sg-12345678"]
  subnet_id              = "subnet-eddcdzz4"

  metadata_options = {

       http_endpoint = "enabled"
       http_tokens   = "required"
  }
  
  tags = {
    Terraform   = "true"
    Environment = "dev"
  }
}

The expected result is PASS for the check CKV_AWS_79, but I'm getting a FAIL. Looks like if checkov is not able to resolve the lookup function that the module use in the dynamic "metadata_options" block.
The same behavior I'm experimenting with other checks like CKV_AWS_8.

Version (please complete the following information):

  • Checkov Version 2.0.1211

Additional context I'm executing checkov -d folder/ --config-file conf.yaml

conf.yaml:

framework: terraform
hard-fail-on:
- CKV_AWS_3 #Ensure all data stored in the EBS is securely encrypted
- CKV_AWS_37 #Ensure Amazon EKS control plane logging enabled for all log types
- CKV2_AWS_6 #Ensure that S3 bucket has a Public Access block
- CKV_AWS_79 #Ensure Instance Metadata Service Version 1 is not enabled
- CKV_AWS_32 #Ensure ECR policy is not set to public
output:
- github_failed_only
quiet: true
soft-fail: true

pgiovio-pomelo avatar Aug 12 '22 14:08 pgiovio-pomelo

hey @pgiovio-pomelo thanks for reaching out. This is correct, currently checkov doesn't support dynamic blocks.

gruebel avatar Aug 19 '22 10:08 gruebel

Hey @pgiovio-pomelo we are now working on supporting dynamic blocks rendering, and we have already implemented a lot in this area. Could you please try again to scan this resource?

ChanochShayner avatar Nov 17 '22 14:11 ChanochShayner

Hey @pgiovio-pomelo we are now working on supporting dynamic blocks rendering, and we have already implemented a lot in this area. Could you please try again to scan this resource?

Not the original poster but I just created my own EC2 using the module and even after I made the changes I still get soft fail for CKV_AWS_126, CKV_AWS_8 and CKV_AWS_79.

its definitely not detecting changes in modules.

IrvicRodriguez avatar Jan 17 '23 06:01 IrvicRodriguez

Hi there, I am not the OP but I am also not getting any errors from CKV_AWS_54 (Ensure S3 Bucket BlockPublicPolicy is set to True after removing it from my S3 module configuration

abdulakhan-philips-partner avatar Jan 30 '23 15:01 abdulakhan-philips-partner

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Jul 29 '23 23:07 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Aug 18 '23 19:08 stale[bot]