checkov
checkov copied to clipboard
bridgecrewio
CKV2_AWS_49: false positive with for_each usage
Describe the issue When calling a module with a DMS replication endpoint, CKV2_AWS_49 check fails with version 2.2.290. This is for a migration from a postgres database to an aurora-postgresql cluster.
Examples
endpoints = [
{
endpoint_type = "source"
id = "source"
username = ...
password = ...
server_name = ...
port = ...
engine_name = "postgres"
},
{
endpoint_type = "target"
id = "target"
username = ...
password = ...
server_name = ...
port = ...
}
]
variable "endpoints" {
type = list(object({
id = string
endpoint_type = string
username = string
password = string
database_name = string
server_name = string
port = optional(number, 5432)
database_name = optional(string, null)
engine_name = optional(string, "aurora-postgresql")
}))
validation {
condition = length(var.endpoints) == 2 && contains(["source", "target"], var.endpoints[0].endpoint_type) && contains(["source", "target"], var.endpoints[1].endpoint_type) && (var.endpoints[0].endpoint_type != var.endpoints[1].endpoint_type)
error_message = "you should defined exactly two endpoints - one with endpoint_type `source` and another with endpoint_type `destination`"
}
}
resource "aws_dms_endpoint" "endpoints" {
for_each = { for ep in var.endpoints : ep.id => ep }
endpoint_id = each.value.id
endpoint_type = each.value.endpoint_type
engine_name = each.value.engine_name
kms_key_arn = var.kms_key_arn
server_name = each.value.server_name
ssl_mode = "require"
replication_task_settings = ...
username = ...
password = ...
port = ...
database_name = ...
}
Expected output
Check: CKV2_AWS_49: "Ensure AWS Database Migration Service endpoints have SSL configured" PASSED for resource: module.test.aws_dms_endpoint.endpoints["source"] Check: CKV2_AWS_49: "Ensure AWS Database Migration Service endpoints have SSL configured" PASSED for resource: module.test.aws_dms_endpoint.endpoints["target"]
Real output
Check: CKV2_AWS_49: "Ensure AWS Database Migration Service endpoints have SSL configured" FAILED for resource: module.database-migration.aws_dms_endpoint.endpoints
resource "aws_dms_endpoint" "endpoints" {
for_each = { for ep in var.endpoints : ep.id => ep }
endpoint_id = each.value.id
endpoint_type = each.value.endpoint_type
engine_name = each.value.engine_name
kms_key_arn = var.kms_key_arn
server_name = each.value.server_name
ssl_mode = "require"
username = ....
password = ...
port = ...
database_name = ...
}
Version (please complete the following information):
- Checkov Version 2.2.290 (Github Actions)
Additional context
hey @ArturFortunato thanks for reaching out.
We currently don't support for_each on resource and module level, but are currently in the planning phase, so look out in the coming weeks 🍻
Is the module publicly accessible?
Hey @gruebel , thank you for answering super fast! All right, I'll link this thread and keep an eye on this, but for now I'll disable the checks!
Unfortunately the module is private, but let me know if you want me to add more info (I accidentally published before adding all the info, but should be all now!)
thanks for adding the extra info, it should be enough to reconstruct the problem 😄
Hey @ArturFortunato :) We are just finished adding the support of for_each/count Meta-Arguments in Terraform resources. Feel free to reach out in case something is not working.
