checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

False positives for AWS checks when using count and v4.x.x provider syntax

Open NoahCallaway opened this issue 2 years ago • 10 comments

Describe the issue I'm seeing false positives for the following checks when called from a module with the terraform count attribute. If no count is specified these checks pass. Note: I'm also using AWS v4 provider syntax where separate blocks are used. e.g. https://github.com/bridgecrewio/checkov/issues/2399 I don't think this fix accounted for use inside a module and iterated using count

Affected Checks as follows:

  • CKV_AWS_68: "CloudFront Distribution should have WAF enabled"
  • CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
  • CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
  • CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
  • CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
  • CKV2_AWS_23: "Route53 A Record has Attached Resource"

Examples

Checks FAIL with

# main.tf
module "my_module" {
  count = 1
  source = "./my-module"
}

Checks PASS with

# main.tf
module "my_module" {
  source = "./my-module"
}

# my-module/main.tf
resource "aws_s3_bucket" "mybucket" {
  bucket = "mybucket"
}

# should prevent CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
# should prevent CKV_AWS_19: "Ensure all data stored in the S3 bucket is securely encrypted at rest"
resource "aws_s3_bucket_server_side_encryption_configuration" "example" {
  bucket = aws_s3_bucket.mybucket.bucket

  rule {
    apply_server_side_encryption_by_default {
      kms_master_key_id = aws_kms_key.mykey.arn
      sse_algorithm     = "aws:kms"
    }
  }
}

resource "aws_kms_key" "mykey" {
  description             = "This key is used to encrypt bucket objects"
  deletion_window_in_days = 10
}

# should prevent CKV_AWS_18: "Ensure the S3 bucket has access logging enabled"
resource "aws_s3_bucket_logging" "example" {
  bucket = aws_s3_bucket.mybucket.id

  target_bucket = aws_s3_bucket.mybucket.id
  target_prefix = "log/"
}

# should prevent CKV_AWS_21: "Ensure all data stored in the S3 bucket have versioning enabled"
resource "aws_s3_bucket_versioning" "bucket_versioning" {
  bucket = aws_s3_bucket.mybucket.id
  versioning_configuration {
    status = "Enabled"
  }
}

# provider.tf
terraform {
  required_version = ">= 0.13"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "4.36.1"
    }
  }
}

provider "aws" {
  region  = "var.region"
}

Version (please complete the following information):

  • Checkov Version 2.2.43

Additional context I'm running the checkov scans on .json plan files. checkov -f tfplan.json

NoahCallaway avatar Nov 11 '22 11:11 NoahCallaway

hey @NoahCallaway thanks fro reaching out. count and for_each are not fully supported yet, therefore it is no surprise it didn't work. We plan to start tackling it soon, but it will be first for normal resources.

gruebel avatar Dec 04 '22 17:12 gruebel

hey @NoahCallaway :) We are just finished adding the support of for_each/count Meta-Arguments in Terraform modules, Currently, it's under two environment variables:

  • CHECKOV_NEW_TF_PARSER
  • CHECKOV_ENABLE_MODULES_FOREACH_HANDLING

To recheck your setup please set those variables as True

Feel free to reach out in case something is not working.

ChanochShayner avatar Mar 29 '23 10:03 ChanochShayner

Thanks both!

NoahCallaway avatar Apr 05 '23 09:04 NoahCallaway

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Oct 03 '23 01:10 stale[bot]

Hi @ChanochShayner , thanks for your reply! Using this variables: CHECKOV_NEW_TF_PARSER CHECKOV_ENABLE_MODULES_FOREACH_HANDLING

only apply to Terraform Modules or it can be used with Terraform Resources? Because I'm still getting the same error with terraform resources.

Thanks @NoahCallaway

martingaleano avatar Oct 18 '23 00:10 martingaleano

Guys, I believe this issue is not fixed yet. please find the details below

xxxx binnythomas$ checkov --version
3.0.38


terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">=4.0.0"
    }
  }

  required_version = ">= 1.0.11"
}

CHECKOV_ENABLE_MODULES_FOREACH_HANDLING=True CHECKOV_NEW_TF_PARSER=True checkov --directory ./infrastructure/terraform/build/

Still no luck it fails with false positives. Do let me know if i have missed something. @NoahCallaway Does it work for you?

I have just literally suppressed the lot of rules.

checkov -d . --skip-check "CKV_AWS_21,CKV_AWS_144,CKV_AWS_145,CKV2_AWS_6,CKV2_AWS_62,CKV2_AWS_61,CKV_AWS_18,CKV2_AWS_16,CKV_AWS_28,CKV_AWS_227,CKV_AWS_119"

thomasbinny avatar Nov 17 '23 18:11 thomasbinny

Hi @ChanochShayner , thanks for your reply! Using this variables: CHECKOV_NEW_TF_PARSER CHECKOV_ENABLE_MODULES_FOREACH_HANDLING

only apply to Terraform Modules or it can be used with Terraform Resources? Because I'm still getting the same error with terraform resources.

Thanks @NoahCallaway

@martingaleano Have you managed to fix this?

thomasbinny avatar Nov 20 '23 10:11 thomasbinny

@ChanochShayner, @gruebel count.index on Terraform resource is still not working

harishachappa avatar Dec 14 '23 15:12 harishachappa

This also seems to impact CKV2_AWS_6. I've been able to narrow it down to checkov 2.3.215 as the release that started breaking on the use of a count variable on an s3 bucket like this:

resource "aws_s3_bucket" "bucket" {
  count  = length(var.buckets) > 0 ? 1 : 0
  bucket = "my-bucket"
}

resource "aws_s3_bucket_public_access_block" "bucket" {
  count  = length(var.buckets) > 0 ? 1 : 0
  bucket = aws_s3_bucket.bucket[0].id

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

The same code will pass on checkov 2.3.214. It appears that checkov 2.3.215 introduced the "new TF parser": https://github.com/bridgecrewio/checkov/compare/2.3.214...2.3.215

Not exactly sure why that was considered a patch update instead of a major or at least minor version bump.

oldskool avatar Feb 02 '24 20:02 oldskool

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar Aug 04 '24 07:08 stale[bot]