checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

CKV_AWS_26 Terraform plan does not have required parameter during first iteration or plan

Open cloudtriquetra opened this issue 10 months ago • 2 comments

Describe the issue

When Terraform plan is being run for first time it does not have the parameter kms_master_key_id present in chile_modules/resource/values. It is available in resource_changes/change/after_unknown. Hence the policy failes.

But when we run terraform plan for 2nd time i.e. after apply the parameter and associated value get updated in chile_modules/resource/values and the policy pass.

Examples

resource "aws_sns_topic" "sns_topic" {
  count                                      = var.create_topic ? 1 : 0
  name                                       = "${local.name_prefix}${var.fifo_topic ? ".fifo" : ""}"
  fifo_topic                                 = var.fifo_topic
  content_based_deduplication                = var.content_based_deduplication
  kms_master_key_id                          = var.sns_kms_key_arn
  tags                                       = var.tag_map
}

Version (please complete the following information):

  • Checkov Version 2.3.326

cloudtriquetra avatar Aug 22 '23 09:08 cloudtriquetra

hey @arkaprava-jana thanks for reaching out.

This is known limitation, which we don't plan on tackling any time soon. Can't find the issue number, where it was already mentioned in the past.

A TF plan sadly doesn't offer so much information on what precisely will actually change under the after_unknown block and just blindly using it will results in too many false positives/negatives.

Ex.

resource "aws_kms_key" "example" {
  description             = "example"
}

resource "aws_sns_topic" "example" {
  name              = "example"
  kms_master_key_id = aws_kms_key.example.arn
}

This results in following after_unknown block for aws_sns_topic

"after_unknown": {
  "arn": true,
  "id": true,
  "kms_master_key_id": true,
  "name_prefix": true,
  "owner": true,
  "policy": true,
  "signature_version": true,
  "tags_all": true,
  "tracing_config": true
}

This falsely marked name_prefix and tracing_config to have a value after the apply, but they won't exist in the actual state of the resource.

I keep this one open till I find the previous issue.

gruebel avatar Aug 22 '23 13:08 gruebel

Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at codifiedsecurity.slack.com Thanks!

stale[bot] avatar Feb 19 '24 22:02 stale[bot]

Hay All I am seeing the same issue on check CKV_AWS_27, Where the plan file converted to json shows "sqs_managed_sse_enabled": true, in the after_unknown section but passes if the code is deployed and checkov is reran

forstops avatar Feb 22 '24 15:02 forstops