Open
Description
Describe the issue
Hi,
Some AWS checks failed when resource is created with for_each or count element in modules.
Checks example :
- CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
- CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
Cmd :
checkov -f tfplan2.json --check "CKV2_AWS_6,CKV_AWS_145" --framework "terraform_plan" --repo-root-for-plan-enrichment .
Result :
Passed checks: 0, Failed checks: 2, Skipped checks: 0
Check: CKV2_AWS_6: "Ensure that S3 bucket has a Public Access block"
FAILED for resource: module.aws_s3[0].aws_s3_bucket.this
File: ../modules/aws-s3/main.tf
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-networking-policies/s3-bucket-should-have-public-access-blocks-defaults-to-false-if-the-public-access-block-is-not-attached
18 | resource "aws_s3_bucket" "this" {
19 | provider = aws.alternate
20 | bucket = var.name
21 | }
Check: CKV_AWS_145: "Ensure that S3 buckets are encrypted with KMS by default"
FAILED for resource: module.aws_s3[0].aws_s3_bucket.this
File: ../modules/aws-s3/main.tf
Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/aws-policies/aws-general-policies/ensure-that-s3-buckets-are-encrypted-with-kms-by-default
18 | resource "aws_s3_bucket" "this" {
19 | provider = aws.alternate
20 | bucket = var.name
21 | }
Examples
main.tf
module "aws_s3" {
count = 1
source = "../modules/aws-s3"
name = "cheeeeck"
kms_key_arn = "********"
providers = {
aws.alternate = aws.sap_env
}
}
or
module "aws_s3" {
source = "../modules/aws-s3"
for_each = { "ceckov" = "" }
name = each.key
kms_key_arn = "********"
providers = {
aws.alternate = aws.sap_env
}
}
../modules/aws-s3/main.tf
resource "aws_s3_bucket" "this" {
provider = aws.alternate
bucket = var.name
}
resource "aws_s3_bucket_server_side_encryption_configuration" "cmk" {
provider = aws.alternate
bucket = aws_s3_bucket.this.bucket
rule {
apply_server_side_encryption_by_default {
kms_master_key_id = var.kms_key_arn
sse_algorithm = "aws:kms"
}
}
}
resource "aws_s3_bucket_public_access_block" "block_public" {
provider = aws.alternate
bucket = aws_s3_bucket.this.bucket
block_public_acls = true
block_public_policy = true
ignore_public_acls = true
restrict_public_buckets = true
}
Desktop (please complete the following information):
- OS: Ubuntu 22.04
- Checkov Version: 3.2.43
Additional context
Checks passed if i use module for one resource :
- key like => module.aws_s3.aws_s3_bucket.this will be created
Checks failed with for_each/count :
- key like => module.aws_s3["ceckov"].aws_s3_bucket.this will be created
- key like => module.aws_s3[0].aws_s3_bucket.this will be created
TF Plan example :
"planned_values": {
"root_module": {
"child_modules": [{
"resources": [{
"address": "module.aws_s3[0].aws_s3_bucket.this",
"mode": "managed",
"type": "aws_s3_bucket",
"name": "this",
"schema_version": 0,
"values": {
"bucket": "cheeeeck",
"force_destroy": false,
"tags": null,
"timeouts": null
},
"sensitive_values": {
"cors_rule": [],
"grant": [],
"lifecycle_rule": [],
"logging": [],
"object_lock_configuration": [],
"replication_configuration": [],
"server_side_encryption_configuration": [],
"tags_all": {},
"versioning": [],
"website": []
}
}, {
"address": "module.aws_s3[0].aws_s3_bucket_public_access_block.block_public",
"mode": "managed",
"type": "aws_s3_bucket_public_access_block",
"name": "block_public",
"schema_version": 0,
"values": {
"block_public_acls": true,
"block_public_policy": true,
"bucket": "cheeeeck",
"ignore_public_acls": true,
"restrict_public_buckets": true
},
"sensitive_values": {}
}, {
"address": "module.aws_s3[0].aws_s3_bucket_server_side_encryption_configuration.cmk",
"mode": "managed",
"type": "aws_s3_bucket_server_side_encryption_configuration",
"name": "cmk",
"schema_version": 0,
"values": {
"bucket": "cheeeeck",
"expected_bucket_owner": null,
"rule": [{
"apply_server_side_encryption_by_default": [{
"kms_master_key_id": "**************************",
"sse_algorithm": "aws:kms"
}],
"bucket_key_enabled": null
}]
},
"sensitive_values": {
"rule": [{
"apply_server_side_encryption_by_default": [{}]
}]
}
}],
"address": "module.aws_s3[0]"
}]
}
},
Thanks