checkov icon indicating copy to clipboard operation
checkov copied to clipboard

Published 20 hours ago verified publisher icon bridgecrewio

fix(terraform_plan): Edges not created because of indexing in resource["address"] when resources in modules use count

Open sourava01 opened this issue 10 months ago • 2 comments

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Description

When resources are defined using count, resource["address"] contains indexes but module_call_resource['address'] does not. Proper resource mapping is not created in some cases, resulting in false flags.

Fixes #6135

Steps to recreate

Use a terraform module which uses implicitly uses count in its resources:

module "s3-bucket_example_complete" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "4.0.1"
  lifecycle_rule = [
    {
      id                                     = "log1"
      enabled                                = true
      abort_incomplete_multipart_upload_days = 7

      noncurrent_version_transition = [
        {
          days          = 90
          storage_class = "GLACIER"
        }
      ]

      noncurrent_version_expiration = {
        days = 300
      }
    }
  ]
}

Generate a plan file: terraform init && terraform plan -out plan && terraform show -json plan > plan.json Then run any connection type check: checkov -f plan.json --check CKV2_AWS_61

Result: Passed checks: 0, Failed checks: 1, Skipped checks: 0

With LOG_LEVEL=info checkov -f plan.json --check CKV2_AWS_61 we can clearly see that edges are not getting created: [INFO ] [TerraformLocalGraph] created 0 edges

After this change:

Result: Passed checks: 1, Failed checks: 0, Skipped checks: 0

With LOG_LEVEL=info checkov -f plan.json --check CKV2_AWS_61 we now get [INFO ] [TerraformLocalGraph] created 8 edges

Checklist:

  • [x] My code follows the style guidelines of this project
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] I have added tests that prove my feature, policy, or fix is effective and works
  • [x] New and existing tests pass locally with my changes
  • [x] Any dependent changes have been merged and published in downstream modules

sourava01 avatar Apr 04 '24 20:04 sourava01

@sourava01 you also have a small lint issue which fails the PR.

flake8...................................................................Failed
- hook id: flake8
- exit code: 1

checkov/terraform/plan_parser.py:215:116: E231 missing whitespace after ','

SteveVaknin avatar Apr 21 '24 08:04 SteveVaknin

@SteveVaknin I have added the testcases. While playing around, I found another bug which occurs when you define multiple modules with connected resources. Edges do not get created properly in this case, resulting in false alerts. I have fixed and added test cases for this fix also.

sourava01 avatar Apr 22 '24 13:04 sourava01

Thanks a lot for your review and suggestions @SteveVaknin 🙌

sourava01 avatar May 02 '24 15:05 sourava01