checkov icon indicating copy to clipboard operation
checkov copied to clipboard
verified publisher icon bridgecrewio

feature request to support skips in nested modules

Open t3mi opened this issue 3 years ago • 0 comments

Describe the issue I as a user want to have a skip checks configuration to be available as close as possible to target resources to eliminate the blast radius of such configuration.

Examples Skip check is configured in nested terraform module modules/template1/main.tf for bypass parameter and it's not working.

# checkov config to scan using CKV_AZURE_36 rule only 
cat <<EOT > .checkov.yml
---
evaluate-variables: true
quiet: false
check:
  - CKV_AZURE_36

EOT

# create confgiration folder
mkdir configs
cat <<EOT > configs/main.tf
module "template1" {
  source = "../modules/template1"

  for_each = ["first", "second"]

  variants = each.value
}

module "template2" {
  source = "../modules/template2"

  for_each = ["third", "fourth"]

  variants = each.value
}

EOT

# create modules directories
mkdir modules
mkdir modules/storage
mkdir modules/template1
mkdir modules/template2

# storage module
cat <<EOT > modules/storage/main.tf
provider "azurerm" {
  features {}
}

resource "azurerm_resource_group" "example" {
  name     = "example-resources"
  location = "West Europe"
}

resource "azurerm_virtual_network" "example" {
  name                = "example-vnet"
  address_space       = ["10.0.0.0/16"]
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name
}

resource "azurerm_subnet" "example" {
  name                 = "example-subnet"
  resource_group_name  = azurerm_resource_group.example.name
  virtual_network_name = azurerm_virtual_network.example.name
  address_prefixes     = ["10.0.2.0/24"]
  service_endpoints    = ["Microsoft.Storage"]
}

resource "azurerm_storage_account" "example" {
  # checkov:skip=CKV_AZURE_36:False positive
  name                     = "storageaccountname"
  resource_group_name      = azurerm_resource_group.example.name
  location                 = azurerm_resource_group.example.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  min_tls_version          = "TLS1_2"

  tags = {
    environment = "staging"
  }
}
resource "azurerm_storage_account_network_rules" "example" {
  storage_account_id = azurerm_storage_account.example.id

  default_action             = "Deny"
  ip_rules                   = ["1.1.1.0/8"]
  virtual_network_subnet_ids = [azurerm_subnet.example.id]
  bypass                     = var.bypass
}

EOT

cat <<EOT > modules/storage/variables.tf
variable "bypass" {
  default = ["AzureServices"]
}

EOT

# template1 module
cat <<EOT > modules/template1/main.tf
module "storage" {
  source = "../storage"
  
  for_each = var.variants

  bypass = [] # checkov:skip=CKV_AZURE_36:REASON NESTED MODULE
}

EOT

cat <<EOT > modules/template1/variables.tf
variable "variants" {
  default = []
}

EOT

# template2 module
cat <<EOT > modules/template2/main.tf
module "storage" {
  source = "../storage"
  
  for_each = var.variants
}

EOT

cat <<EOT > modules/template2/variables.tf
variable "variants" {
  default = []
}

EOT

# structure result
tree -a
.
├── .checkov.yml
├── configs
│   └── main.tf
└── modules
    ├── storage
    │   ├── main.tf
    │   └── variables.tf
    ├── template1
    │   ├── main.tf
    │   └── variables.tf
    └── template2
        ├── main.tf
        └── variables.tf

5 directories, 8 files

Current behavior

# result of the scan
terraform scan results:

Passed checks: 1, Failed checks: 1, Skipped checks: 2

Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
        PASSED for resource: azurerm_storage_account_network_rules.example
        File: /modules/storage/main.tf:38-45
        Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
        FAILED for resource: azurerm_storage_account_network_rules.example
        File: /modules/storage/main.tf:38-45
        Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access

                38 | resource "azurerm_storage_account_network_rules" "example" {
                39 |   storage_account_id = azurerm_storage_account.example.id
                40 |
                41 |   default_action             = "Deny"
                42 |   ip_rules                   = ["1.1.1.0/8"]
                43 |   virtual_network_subnet_ids = [azurerm_subnet.example.id]
                44 |   bypass                     = var.bypass
                45 | }

Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
        SKIPPED for resource: azurerm_storage_account.example
        Suppress comment: False positive
        File: /modules/storage/main.tf:25-37
        Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
        SKIPPED for resource: azurerm_storage_account.example
        Suppress comment: False positive
        File: /modules/storage/main.tf:25-37
        Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access

Expected behavior

# result of the scan
terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 3

Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
        PASSED for resource: azurerm_storage_account_network_rules.example
        File: /modules/storage/main.tf:38-45
        Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
        SKIPPED for resource: azurerm_storage_account_network_rules.example
        Suppress comment: REASON NESTED MODULE
        File: /modules/storage/main.tf:38-45
        Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
        SKIPPED for resource: azurerm_storage_account.example
        Suppress comment: False positive
        File: /modules/storage/main.tf:25-37
        Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
        SKIPPED for resource: azurerm_storage_account.example
        Suppress comment: False positive
        File: /modules/storage/main.tf:25-37
        Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access

Version (please complete the following information):

  • 2.1.210

Additional context For mentioned example, Calling File: /configs/main.tf:1-7 parameters in the checks are missed in the result so it's hard to track the root cause.

t3mi avatar Sep 17 '22 10:09 t3mi