checkov
checkov copied to clipboard
bridgecrewio
incorrect skip behavior with multiple modules containing target resource
Describe the issue Skips from one module are applied for the second module as well.
Examples Skip check is configured in configuration for module template1 call but for some reason its applied to another module also.
# checkov config to scan using CKV_AZURE_36 rule only
cat <<EOT > .checkov.yml
---
evaluate-variables: true
quiet: false
check:
- CKV_AZURE_36
EOT
# create confgiration folder
mkdir configs
cat <<EOT > configs/main.tf
module "template1" {
# checkov:skip=CKV_AZURE_36:CONFIGURATION TEMPLATE 1
source = "../modules/template1"
for_each = ["first", "second"]
variants = each.value
}
module "template2" {
source = "../modules/template2"
for_each = ["third", "fourth"]
variants = each.value
}
EOT
# create modules directories
mkdir modules
mkdir modules/storage
mkdir modules/template1
mkdir modules/template2
# storage module
cat <<EOT > modules/storage/main.tf
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "example" {
name = "example-resources"
location = "West Europe"
}
resource "azurerm_virtual_network" "example" {
name = "example-vnet"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
}
resource "azurerm_subnet" "example" {
name = "example-subnet"
resource_group_name = azurerm_resource_group.example.name
virtual_network_name = azurerm_virtual_network.example.name
address_prefixes = ["10.0.2.0/24"]
service_endpoints = ["Microsoft.Storage"]
}
resource "azurerm_storage_account" "example" {
# checkov:skip=CKV_AZURE_36:False positive
name = "storageaccountname"
resource_group_name = azurerm_resource_group.example.name
location = azurerm_resource_group.example.location
account_tier = "Standard"
account_replication_type = "GRS"
min_tls_version = "TLS1_2"
tags = {
environment = "staging"
}
}
resource "azurerm_storage_account_network_rules" "example" {
storage_account_id = azurerm_storage_account.example.id
default_action = "Deny"
ip_rules = ["1.1.1.0/8"]
virtual_network_subnet_ids = [azurerm_subnet.example.id]
bypass = var.bypass
}
EOT
cat <<EOT > modules/storage/variables.tf
variable "bypass" {
default = ["AzureServices"]
}
EOT
# template1 module
cat <<EOT > modules/template1/main.tf
module "storage" {
source = "../storage"
for_each = var.variants
bypass = []
}
EOT
cat <<EOT > modules/template1/variables.tf
variable "variants" {
default = []
}
EOT
# template2 module
cat <<EOT > modules/template2/main.tf
module "storage" {
source = "../storage"
for_each = var.variants
}
EOT
cat <<EOT > modules/template2/variables.tf
variable "variants" {
default = []
}
EOT
# structure result
tree -a
.
├── .checkov.yml
├── configs
│ └── main.tf
└── modules
├── storage
│ ├── main.tf
│ └── variables.tf
├── template1
│ ├── main.tf
│ └── variables.tf
└── template2
├── main.tf
└── variables.tf
5 directories, 8 files
Current behavior
# result of the scan
terraform scan results:
Passed checks: 0, Failed checks: 0, Skipped checks: 4
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
SKIPPED for resource: azurerm_storage_account.example
Suppress comment: False positive
File: /modules/storage/main.tf:25-37
Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
SKIPPED for resource: azurerm_storage_account_network_rules.example
Suppress comment: CONFIGURATION TEMPLATE 1
File: /modules/storage/main.tf:38-45
Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
SKIPPED for resource: azurerm_storage_account.example
Suppress comment: False positive
File: /modules/storage/main.tf:25-37
Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
SKIPPED for resource: azurerm_storage_account_network_rules.example
Suppress comment: CONFIGURATION TEMPLATE 1
File: /modules/storage/main.tf:38-45
Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Expected behavior
# result of the scan
terraform scan results:
Passed checks: 1, Failed checks: 0, Skipped checks: 3
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
PASSED for resource: azurerm_storage_account_network_rules.example
File: /modules/storage/main.tf:38-45
Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
SKIPPED for resource: azurerm_storage_account_network_rules.example
Suppress comment: CONFIGURATION TEMPLATE 1
File: /modules/storage/main.tf:38-45
Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
SKIPPED for resource: azurerm_storage_account.example
Suppress comment: False positive
File: /modules/storage/main.tf:25-37
Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Check: CKV_AZURE_36: "Ensure 'Trusted Microsoft Services' is enabled for Storage Account access"
SKIPPED for resource: azurerm_storage_account.example
Suppress comment: False positive
File: /modules/storage/main.tf:25-37
Guide: https://docs.bridgecrew.io/docs/enable-trusted-microsoft-services-for-storage-account-access
Version (please complete the following information):
- 2.1.210
Additional context
For mentioned example, Calling File: /configs/main.tf:1-7 parameters in the checks are missed in the result so it's hard to track the root cause.
