CKV2_AZURE_41 false positive?

[acelebanski]

Describe the issue I applied the fix to CKV2_AZURE_41 check according to this guide. Unfortunately, the check still fails.

Examples In code it looks like that:

resource "azurerm_storage_account" "this" {
  name = var.name
  (...)

  sas_policy {
    expiration_period = "90.00:00:00"
    expiration_action = "Log"
  }
}

Version (please complete the following information):

• Checkov Version 3.2.50

[naveednawazkhan]

Hi @acelebanski, I have tested this policy and do not see any issue with code but I have requested our team to update the docs.

I used the following code for testing.

resource "azurerm_storage_account" "pass_1" {
  name                     = "pud-storage2023abc1"
  resource_group_name      = var.rg-name
  location                 = var.location
  account_tier             = "Standard"
  account_replication_type = "GRS"
  shared_access_key_enabled = true

  sas_policy {
   expiration_period = "90.00:00:00"
    expiration_action = "Log"
  }

  tags = {
    bc_status = "pass"
  }
}

If the issue persists, please share the full resource code. Thanks

[alexivanov-danone]

Same issue

[acelebanski]

It looks like it's not fixed yet, I tried to add this sas_policy block to this repo: https://github.com/PaloAltoNetworks/terraform-azurerm-swfw-modules/blob/main/modules/bootstrap/main.tf

But the check still doesn't pass so I had to ignore it.

[acelebanski]

Hello @naveednawazkhan, any news on this one?

[bostrowski13]

still an issue, and doesnt seem to like the use of variables.

  sas_policy {
    expiration_period = var.storage_account_sas_expiration_period
    expiration_action = "Log"
  }