checkov
checkov copied to clipboard
bridgecrewio
CKV_AWS_103 - False findings on our AWS ALB
Describe the issue 2 days ago our build passes but today got multiple failures. One of them indicating that to ensure LB is using TLS1.2. Which it is.
Examples Here is code snippets from our module which defaults are listed:
variable "listener_ssl_policy_default" {
description = "The security policy if using HTTPS externally on the load balancer. [See](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/elb-security-policy-table.html)."
type = string
default = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
}
resource "aws_lb_listener" "frontend_https" {
count = var.create_lb ? length(var.https_listeners) : 0
load_balancer_arn = aws_lb.this[0].arn
port = var.https_listeners[count.index]["port"]
protocol = lookup(var.https_listeners[count.index], "protocol", "HTTPS")
certificate_arn = var.https_listeners[count.index]["certificate_arn"]
ssl_policy = lookup(var.https_listeners[count.index], "ssl_policy", var.listener_ssl_policy_default)
}
Additional context The resources hasn't changed and so it had passed 2 days ago and now today it failing on multiple items. This report is just on the ALB finding.
to give an update i found that it works fine on 2.3.214 but 220 or 223 it fails on. 223 is the version that our pipeline had installed.
hey @dbbc96 thanks for reaching out.
We recently enabled support for for_each in checkov, because before we ignored most of the information in your resource definition.
I also need to see the definition for the var.https_listeners, because without it we can't investigate the issue.
here is what we have for the alb:
https_listeners = [
{
port = 443
protocol = "HTTPS"
certificate_arn = aws_acm_certificate.mycert_cert.arn
target_group_index = 0
}
]
here is what is in the module:
variable "https_listeners" {
description = "A list of maps describing the HTTPS listeners for this ALB. Required key/values: port, certificate_arn. Optional key/values: ssl_policy (defaults to ELBSecurityPolicy-2016-08), target_group_index (defaults to https_listeners[count.index])"
type = any
default = []
}
thanks. I took a look and I think something is off with lookup in context of count.
as I wrote, currently the combination of count + lookup doesn't work correctly.
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: codifiedsecurity.slack.com Thanks!