misconfiguration with false-positive while using terraform data with for_each #10026

felipeng · 2026-01-08T18:09:49Z

felipeng
Jan 8, 2026

Description

Trivy has a false-positive when using data resource with for_each

Desired Behavior

No misconfiguration found

Actual Behavior

Finds the misconfiguration: AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled

Reproduction Steps

Using this terraform code

locals {
  aws-s3 = {
    my-bucket = {
      versioning_status = "Enabled"
      attach_policy     = true
      policy            = data.aws_iam_policy_document.policy1["dev"].json
    }
  }
}

#trivy:ignore:AVD-AWS-0132 trivy:ignore:AVD-AWS-0088 trivy:ignore:AVD-AWS-0089
module "aws-s3" {
  source   = "terraform-aws-modules/s3-bucket/aws"
  version  = "~> 4.11.0"
  for_each = local.aws-s3

  bucket        = each.key
  attach_policy = try(each.value.attach_policy, false)
  policy        = try(each.value.policy, null)
  versioning = {
    status = try(each.value.versioning_status, "Disabled")
  }
}

data "aws_iam_policy_document" "policy1" {
  for_each = toset(["dev"])
}

data "aws_iam_policy_document" "policy2" {
  for_each = toset(["dev"])
}


Run: `trivy config .`

Trivy has a false-positive with "AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled". Even the data-policy2 is not being used in the `module` for_each loop. For some reason if comment out the "data policy2 block" works correctly (no misconfiguration found)

Target

None

Scanner

Misconfiguration

Output Format

None

Mode

Standalone

Debug Output

trivy config . -d
2026-01-08T10:09:24-08:00       DEBUG   Default config file "file_path=trivy.yaml" not found, using built in values
2026-01-08T10:09:24-08:00       DEBUG   Cache dir       dir="/Users/felipe.gonzalez/Library/Caches/trivy"
2026-01-08T10:09:24-08:00       DEBUG   Cache dir       dir="/Users/felipe.gonzalez/Library/Caches/trivy"
2026-01-08T10:09:24-08:00       DEBUG   Parsed severities       severities=[UNKNOWN LOW MEDIUM HIGH CRITICAL]
2026-01-08T10:09:24-08:00       INFO    [misconfig] Misconfiguration scanning is enabled
2026-01-08T10:09:24-08:00       DEBUG   [misconfig] Checks successfully loaded from disk
2026-01-08T10:09:24-08:00       DEBUG   [notification] Running version check
2026-01-08T10:09:24-08:00       DEBUG   [rego] Overriding filesystem for checks
2026-01-08T10:09:24-08:00       DEBUG   [rego] Embedded libraries are loaded    count=17
2026-01-08T10:09:24-08:00       DEBUG   [rego] Embedded checks are loaded       count=519
2026-01-08T10:09:24-08:00       DEBUG   [notification] Version check completed  latest_version="0.68.2"
2026-01-08T10:09:24-08:00       DEBUG   [rego] Checks from disk are loaded      count=536
2026-01-08T10:09:24-08:00       DEBUG   [rego] Overriding filesystem for data
2026-01-08T10:09:24-08:00       DEBUG   Enabling misconfiguration scanners      scanners=[azure-arm cloudformation dockerfile helm kubernetes terraform terraformplan-json terraformplan-snapshot]
2026-01-08T10:09:24-08:00       DEBUG   Initializing scan cache...      type="memory"
2026-01-08T10:09:24-08:00       DEBUG   [fs] Analyzing...       root="."
2026-01-08T10:09:24-08:00       DEBUG   Created process-specific temp directory path="/var/folders/rh/cz877djs1mbcvbn998mvgbzr0000gn/T/trivy-63689"
2026-01-08T10:09:24-08:00       DEBUG   Skipping path   path=".terraform/modules/aws-s3/.git"
2026-01-08T10:09:24-08:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Terraform"
2026-01-08T10:09:24-08:00       DEBUG   [terraform scanner] Scanning directory  file_path="."
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing      module="root" file_path="aws-s3-locals.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added file   module="root" file_path="aws-s3-locals.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing      module="root" file_path="provider.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added file   module="root" file_path="provider.tf"
2026-01-08T10:09:24-08:00       INFO    [terraform scanner] Scanning root module        file_path="."
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Setting project/module root  module="root" file_path="."
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing FS   module="root" file_path="."
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing      module="root" file_path="aws-s3-locals.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added file   module="root" file_path="aws-s3-locals.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing      module="root" file_path="provider.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added file   module="root" file_path="provider.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Loading module       module="root" module="root"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" blocks=6 ignores=3
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added input variables from tfvars    module="root" count=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Loaded module metadata for modules   module="root" file_path=".terraform/modules/modules.json" count=2
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" file_path="/Users/felipe.gonzalez/sandbox/terraform-trivy-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting module evaluation...     module="root" path="."
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" block="data.aws_iam_policy_document.policy1" clones=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" block="data.aws_iam_policy_document.policy2" clones=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Module resolved using modules.json        module="root" block="module.aws-s3" source="terraform-aws-modules/s3-bucket/aws" modulePath=".terraform/modules/aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing FS   module="root" module="aws-s3" file_path=".terraform/modules/aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing      module="root" module="aws-s3" file_path=".terraform/modules/aws-s3/main.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added file   module="root" module="aws-s3" file_path=".terraform/modules/aws-s3/main.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing      module="root" module="aws-s3" file_path=".terraform/modules/aws-s3/outputs.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added file   module="root" module="aws-s3" file_path=".terraform/modules/aws-s3/outputs.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing      module="root" module="aws-s3" file_path=".terraform/modules/aws-s3/variables.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added file   module="root" module="aws-s3" file_path=".terraform/modules/aws-s3/variables.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Parsing      module="root" module="aws-s3" file_path=".terraform/modules/aws-s3/versions.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added file   module="root" module="aws-s3" file_path=".terraform/modules/aws-s3/versions.tf"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Using module from Terraform cache .terraform/modules      module="root" source="terraform-aws-modules/s3-bucket/aws"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Loaded module     module="root" name="aws-s3" file_path=".terraform/modules/aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Loading module       module="root" module="aws-s3" module="aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Read block(s) and ignore(s)  module="root" module="aws-s3" blocks=116 ignores=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Added input variables from module definition module="root" module="aws-s3" count=7
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Loaded module metadata for modules   module="root" module="aws-s3" file_path=".terraform/modules/modules.json" count=2
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Working directory for module evaluation      module="root" module="aws-s3" file_path="/Users/felipe.gonzalez/incharge/gitlab/incharging/sandbox/terraform-trivy-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting submodules evaluation... module="root"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Evaluating submodule      module="root" name="aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting module evaluation...     module="root" module="aws-s3" path=".terraform/modules/aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=2
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=3
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=4
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Context unchanged module="root" module="aws-s3" iteration=4
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket.this" clones=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_accelerate_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_acl.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_cors_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_lifecycle_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_logging.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_object_lock_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_ownership_controls.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_policy.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_public_access_block.this" clones=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_replication_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_request_payment_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_server_side_encryption_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_versioning.this" clones=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_website_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.aws_s3_directory_bucket.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_canonical_user_id.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.access_log_delivery" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.cloudtrail_log_delivery" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.combined" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_incorrect_encryption_headers" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_incorrect_kms_key_sse" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_insecure_transport" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_ssec_encrypted_object_uploads" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.deny_unencrypted_object_uploads" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.elb_log_delivery" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.inventory_and_analytics_destination_policy" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.lb_log_delivery" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.require_latest_tls" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'count' attribute. module="root" module="aws-s3" block="module.aws-s3.data.aws_iam_policy_document.waf_log_delivery" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_analytics_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_intelligent_tiering_configuration.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_inventory.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Expanded block into clones via 'for_each' attribute.      module="root" module="aws-s3" block="module.aws-s3.aws_s3_bucket_metric.this" clones=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root" module="aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" module="aws-s3" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Context unchanged module="root" module="aws-s3" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Module evaluation complete.       module="root" module="aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_arn" value="cty.StringVal(\"arn:aws:s3:::\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_bucket_domain_name" value="cty.StringVal(\"\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_bucket_regional_domain_name" value="cty.StringVal(\"\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_hosted_zone_id" value="cty.StringVal(\"\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_id" value="cty.DynamicVal"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_lifecycle_configuration_rules" value="cty.StringVal(\"\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_policy" value="cty.StringVal(\"\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_region" value="cty.StringVal(\"\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_website_domain" value="cty.StringVal(\"\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_bucket_website_endpoint" value="cty.StringVal(\"\")"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_directory_bucket_arn" value="cty.DynamicVal"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Added module output       module="root" module="aws-s3" block="s3_directory_bucket_name" value="cty.DynamicVal"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=2
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=2
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Submodule inputs unchanged        module="root" name="aws-s3"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] All submodules are evaluated      module="root" loop=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting post-submodule evaluation...     module="root"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Finished processing submodule(s). module="root" count=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting post-submodules evaluation...    module="root"
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=0
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Starting iteration        module="root" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Context unchanged module="root" iteration=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform evaluator] Module evaluation complete.       module="root"
2026-01-08T10:09:24-08:00       DEBUG   [terraform parser] Finished parsing module      module="root"
2026-01-08T10:09:24-08:00       DEBUG   [terraform executor] Adapting modules...
2026-01-08T10:09:24-08:00       DEBUG   [terraform executor] Adapted module(s) into state data. count=2
2026-01-08T10:09:24-08:00       DEBUG   [terraform executor] Scan state data
2026-01-08T10:09:24-08:00       DEBUG   [rego] Scanning inputs  count=1
2026-01-08T10:09:24-08:00       DEBUG   [terraform executor] Finished applying checks
2026-01-08T10:09:24-08:00       DEBUG   [terraform executor] Applying ignores...
2026-01-08T10:09:24-08:00       INFO    [terraform executor] Ignore finding     rule="aws-s3-encryption-customer-key" range="terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf:25-34"
2026-01-08T10:09:24-08:00       INFO    [terraform executor] Ignore finding     rule="aws-s3-enable-bucket-encryption" range="terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf:25-34"
2026-01-08T10:09:24-08:00       INFO    [terraform executor] Ignore finding     rule="aws-s3-enable-logging" range="terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf:25-34"
2026-01-08T10:09:24-08:00       DEBUG   [misconfig] Scanning files for misconfigurations...     scanner="Helm"
2026-01-08T10:09:24-08:00       DEBUG   OS is not detected.
2026-01-08T10:09:24-08:00       INFO    Detected config files   num=2
2026-01-08T10:09:24-08:00       DEBUG   Scanned config file     file_path="."
2026-01-08T10:09:24-08:00       DEBUG   Scanned config file     file_path="terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf"
2026-01-08T10:09:24-08:00       DEBUG   Specified ignore file does not exist    file=".trivyignore"
2026-01-08T10:09:24-08:00       DEBUG   [vex] VEX filtering is disabled

Report Summary

┌───────────────────────────────────────────────────────────────────────┬───────────┬───────────────────┐
│                                Target                                 │   Type    │ Misconfigurations │
├───────────────────────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ .                                                                     │ terraform │         0         │
├───────────────────────────────────────────────────────────────────────┼───────────┼───────────────────┤
│ terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf │ terraform │         1         │
└───────────────────────────────────────────────────────────────────────┴───────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf (terraform)

Tests: 1 (SUCCESSES: 0, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 1, HIGH: 0, CRITICAL: 0)

AVD-AWS-0090 (MEDIUM): Bucket does not have versioning enabled
══════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════════
Versioning in Amazon S3 is a means of keeping multiple variants of an object in the same bucket.

You can use the S3 Versioning feature to preserve, retrieve, and restore every version of every object stored in your buckets.

With versioning you can recover more easily from both unintended user actions and application failures.

When you enable versioning, also keep in mind the potential costs of storing noncurrent versions of objects. To help manage those costs, consider setting up an S3 Lifecycle configuration.


See https://avd.aquasec.com/misconfig/avd-aws-0090
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf:182
   via terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf:180-186 (versioning_configuration)
    via terraform-aws-modules/s3-bucket/aws/.terraform/modules/aws-s3/main.tf:173-187 (aws_s3_bucket_versioning.this[0])
     via aws-s3-locals.tf:12-23 (module.aws-s3)
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
 173   resource "aws_s3_bucket_versioning" "this" {
 ...   
 182 [     status = try(var.versioning["enabled"] ? "Enabled" : "Suspended", tobool(var.versioning["status"]) ? "Enabled" : "Suspended", title(lower(var.versioning["status"])), "Enabled")
 ...   
 187   }
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────


2026-01-08T10:09:24-08:00       DEBUG   Cleaning up temp directory      path="/var/folders/rh/cz877djs1mbcvbn998mvgbzr0000gn/T/trivy-63689"



### Operating System

macOS Tahoe 26.2

### Version

```bash
Version: 0.68.2
Check Bundle:
  Digest: sha256:0491169789b867ae5a7353381220c1d4d97b3a0d6d9dfd84a25d06f0ba68aa93
  DownloadedAt: 2026-01-08 17:52:10.775083 +0000 UTC

Checklist

Run trivy clean --all
Read the troubleshooting

nikpivkin · 2026-01-13T14:51:25Z

nikpivkin
Jan 13, 2026
Maintainer

Hi @felipeng !

Thanks for the report!

Track #10047

0 replies

sufield · 2026-04-09T14:55:06Z

sufield
Apr 9, 2026

If you're hitting false positives from for_each/try() resolution in static analysis, an alternative approach is to evaluate the deployed bucket's actual configuration rather than the Terraform template. Tools like Stave evaluate observation snapshots of your infrastructure (captured via AWS CLI) against security controls — so versioning.enabled is checked against the real bucket state, not the HCL expression that computes it. No parser, no false positives from complex expressions.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

misconfiguration with false-positive while using terraform data with for_each #10026

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

misconfiguration with false-positive while using terraform data with for_each #10026

Uh oh!

felipeng Jan 8, 2026

Description

Desired Behavior

Actual Behavior

Reproduction Steps

Target

Scanner

Output Format

Mode

Debug Output

Checklist

Replies: 2 comments

Uh oh!

nikpivkin Jan 13, 2026 Maintainer

Uh oh!

sufield Apr 9, 2026

felipeng
Jan 8, 2026

nikpivkin
Jan 13, 2026
Maintainer

sufield
Apr 9, 2026