checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Unable to check security group association if security group is referenced to resource dynamically.

Open cloudtriquetra opened this issue 2 years ago • 1 comments

Describe the issue Enforcing TLS encryption for AWS MSK need to be checked on attached Security Group Resource as specific ports support TLS. Ref: https://docs.aws.amazon.com/msk/latest/developerguide/port-info.html

If Security Group and MSK Cluster is being provisioned together and dynamically referenced in terraform, yaml policy is unable to check connection.

Similar behavior is noticed in other cases where terraform plan shows parameter value as "known after apply".

Examples Terraform code reference:

resource "aws_msk_cluster" "msk_cluster" {
  count                        = var.enabled > 0 ? 1 : 0
  tags                         = var.tag_map
  cluster_name           = var.cluster_name
  kafka_version          = var.kafka_version
  number_of_broker_nodes = var.number_of_broker_nodes

  broker_node_group_info {
    instance_type   = var.instance_type
    ebs_volume_size = var.ebs_volume_size
    client_subnets  = data.aws_subnet_ids.tier2_app_layer.ids
    security_groups = [aws_security_group.msk_broker_sg.0.id]
  }

  client_authentication {
    sasl {
      scram    = true
    }
  }

  logging_info {
    broker_logs {
      cloudwatch_logs {
        enabled   = true
        log_group = aws_cloudwatch_log_group.msk_broker_log_group.0.name
      }
    }
  }
}

resource "aws_security_group" "msk_broker_sg" {
  count                        = var.enabled > 0 ? 1 : 0
  name                         = "${var.cluster_name}-cluster-sg"
  description                  = "MSK broker sg"
  vpc_id                       = data.aws_vpc.vpc.id
}

Desktop (please complete the following information):

  • OS: [e.g. iOS]
  • Checkov Version [e.g. 22] 22

Additional context Add any other context about the problem here (e.g. code snippets).

cloudtriquetra avatar Nov 23 '22 07:11 cloudtriquetra

hey @arkaprava-jana thanks for reaching out. We currently don't supported this, same goes for for_each. We plan on tackling it, but not this year.

The "known after apply" is a known limitation and we don't plan on supporting it any time soon, because as it says, you only after applying the plan what is happening.

gruebel avatar Nov 26 '22 17:11 gruebel

Hey @arkaprava-jana :) We are just finished adding the support of for_each/count Meta-Arguments in Terraform resources. Feel free to reach out in case something is not working.

ChanochShayner avatar Mar 29 '23 10:03 ChanochShayner

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io Thanks!

stale[bot] avatar Oct 03 '23 01:10 stale[bot]

Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks!

stale[bot] avatar Oct 18 '23 04:10 stale[bot]