checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

Checkov ignores terraform tfvars file specified in `--var-file` flag

Open ppawlowski opened this issue 2 years ago • 9 comments

Describe the issue Checkov ignores path to tfvars file specified in --var-file when file is in different directory than terraform root module. Deep analysis has been made in other PR discussion: https://github.com/bridgecrewio/checkov/issues/3580#issuecomment-1346950236

Examples

main.tf:

provider "azurerm" {
    features {}
}

variable "storage" {
    type = object({
        name = string
        tls = string
    })
}

resource "azurerm_storage_account" "this" {
  name = var.storage.name
  min_tls_version = var.storage.tls
}

terraform.tfvars:

storage = {
    name = "checkovTest"
    tls = "TLS1_2"
}

Directory structure:

.
└── checkov_debug
    ├── main.tf
    └── vars
        └── terraform.tfvars

checkov execution (irrevelant output omitted):

 $ checkov -d checkov_debug/ -c CKV_AZURE_44 --var-file=./checkov_debug/vars/terraform.tfvars

terraform scan results:

Passed checks: 0, Failed checks: 1, Skipped checks: 0

Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
	FAILED for resource: azurerm_storage_account.this
	File: /main.tf:12-15
	Guide: https://docs.bridgecrew.io/docs/bc_azr_storage_2

		12 | resource "azurerm_storage_account" "this" {
		13 |   name = var.storage.name
		14 |   min_tls_version = var.storage.tls
		15 | }

Expected checkov output (irrevelant output omitted):

terraform scan results:

Passed checks: 1, Failed checks: 0, Skipped checks: 0

Check: CKV_AZURE_44: "Ensure Storage Account is using the latest version of TLS encryption"
	PASSED for resource: azurerm_storage_account.this
	File: /main.tf:12-15
	Guide: https://docs.bridgecrew.io/docs/bc_azr_storage_2

Version:

  • 2.2.297

ppawlowski avatar Jan 24 '23 13:01 ppawlowski

@bridgecrew-bot Can you assign someone to this?

nicholas-marchini avatar Apr 01 '23 18:04 nicholas-marchini

@gruebel - Hi, I would like to pick this issue up. @JamesWoolfenden as discussed.

StevePerezUK avatar Apr 24 '23 11:04 StevePerezUK

@StevePerezUK sure go ahead 🙂

gruebel avatar Apr 24 '23 12:04 gruebel

Does the var-file option need to be relative to the current working directory, or whichever directory is passed to --directory?

Based on OP's' example I would assume the following, similar to how terraform includes tfvar files relative to whatever directory is passed to the --directory (checkov) or -src (terraform) argument.

$ checkov -d checkov_debug/ -c CKV_AZURE_44 --var-file=vars/terraform.tfvars

cbcoutinho avatar May 02 '23 15:05 cbcoutinho

@cbcoutinho - This is the requirement to fix --var-file so it works in the same way as terraform. https://developer.hashicorp.com/terraform/language/values/variables#variable-definition-precedence

StevePerezUK avatar May 03 '23 12:05 StevePerezUK

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar Nov 13 '23 08:11 stale[bot]

Not stale.

ppawlowski avatar Nov 16 '23 16:11 ppawlowski

I'm still seeing this issue, even when adding a file which does not exist, no error or warning is thrown.

Januznl avatar Apr 17 '24 10:04 Januznl