bug(terraform): module output values are not passed into the context of other modules

[nikpivkin]

I found the following problem:
Currently, module results are only propagated to the context of the parent module (i.e., the one that calls), and are not propagated to the context of other modules. In the example below, the module.artifactory_key.key_arn output value of the artifactory_key module is missing in the context of the artifactory_bucket module.

UPD: output variables of one module are not present in the context of another module only during module evaluation and block expanding (dynamic, for-each).

Discussed in #5262

^{Originally posted by natebowang September 28, 2023}

IDs

AVD-AWS-0088

Description

Hi, We use terraform KMS module terraform-aws-modules/kms/aws v2.0.1 and S3 module terraform-aws-modules/s3-bucket/aws v3.15.1 in our configuration, but Trivy scan fails with the error we don't expect to see

Reproduction Steps

module "artifactory_key" {
  source  = "terraform-aws-modules/kms/aws"
  version = "2.0.1"

  deletion_window_in_days = 7
  enable_key_rotation     = true
  enable_default_policy   = true
}

module "artifactory_bucket" {
  source  = "terraform-aws-modules/s3-bucket/aws"
  version = "3.15.1"

  bucket = "artifactory-sdfsgemekg"

  versioning    = {
    status     = true
    mfa_delete = false
  }
  server_side_encryption_configuration = {
    rule = {
      apply_server_side_encryption_by_default = {
        kms_master_key_id = module.artifactory_key.key_arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

Target

Filesystem

Scanner

Misconfiguration

Target OS

5.4.254-1-MANJARO

Debug Output

2023-09-27T21:05:28.825Z	DEBUG	Severities: ["CRITICAL" "HIGH" "MEDIUM"]
2023-09-27T21:05:28.826Z	DEBUG	Ignore statuses	{"statuses": null}
2023-09-27T21:05:28.832Z	DEBUG	cache dir:  /root/.cache/trivy
2023-09-27T21:05:28.832Z	INFO	Misconfiguration scanning is enabled
2023-09-27T21:05:28.832Z	DEBUG	Policies successfully loaded from disk
2023-09-27T21:05:28.870Z	DEBUG	Walk the file tree rooted at '.' in parallel
2023-09-27T21:05:28.871Z	DEBUG	Skipping directory: .terraform
2023-09-27T21:05:28.871Z	DEBUG	Scanning Terraform files for misconfigurations...
2023-09-27T21:05:41.587Z	DEBUG	OS is not detected.
2023-09-27T21:05:41.587Z	INFO	Detected config files: 10
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: iam-github.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/apigateway-v2/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/ecr/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/kms/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/lambda/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/s3-bucket/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: terraform-aws-modules/sns/aws/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: .
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-cloudwatch?ref=v4.3.0/modules/log-group/main.tf
2023-09-27T21:05:41.587Z	DEBUG	Scanned config file: git::https:/github.com/terraform-aws-modules/terraform-aws-iam?ref=v5.30.0/modules/iam-user/main.tf

terraform-aws-modules/s3-bucket/aws/main.tf (terraform)

Tests: 15 (SUCCESSES: 13, FAILURES: 2, EXCEPTIONS: 0)
Failures: 2 (MEDIUM: 0, HIGH: 2, CRITICAL: 0)

HIGH: Bucket does not have encryption enabled
════════════════════════════════════════════════════════════════════════════════
S3 Buckets should be encrypted to protect the data that is stored within them if access is compromised.

See https://avd.aquasec.com/misconfig/avd-aws-0088
────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:155-177
   via s3-artifact.tf:102-133 (module.artifactory)
────────────────────────────────────────────────────────────────────────────────
 155 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 156 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 157 │ 
 158 │   bucket                = aws_s3_bucket.this[0].id
 159 │   expected_bucket_owner = var.expected_bucket_owner
 160 │ 
 161 │   dynamic "rule" {
 162 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 163 └ 
 ...   
────────────────────────────────────────────────────────────────────────────────


HIGH: Bucket does not encrypt data with a customer managed key.
════════════════════════════════════════════════════════════════════════════════
Encryption using AWS keys provides protection for your S3 buckets. To increase control of the encryption and manage factors like rotation use customer managed keys.

See https://avd.aquasec.com/misconfig/avd-aws-0132
────────────────────────────────────────────────────────────────────────────────
 terraform-aws-modules/s3-bucket/aws/main.tf:155-177
   via s3-artifact.tf:102-133 (module.artifactory)
────────────────────────────────────────────────────────────────────────────────
 155 ┌ resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
 156 │   count = local.create_bucket && length(keys(var.server_side_encryption_configuration)) > 0 ? 1 : 0
 157 │ 
 158 │   bucket                = aws_s3_bucket.this[0].id
 159 │   expected_bucket_owner = var.expected_bucket_owner
 160 │ 
 161 │   dynamic "rule" {
 162 │     for_each = try(flatten([var.server_side_encryption_configuration["rule"]]), [])
 163 └ 
 ...   
────────────────────────────────────────────────────────────────────────────────

Version

0.45.1

Checklist

• Read the documentation regarding wrong detection
• Ran Trivy with -f json that shows data sources and confirmed that the security advisory in data sources was correct

[heathsnow]

Yeah, this issue is affecting a few of my builds as well. I've tried outputting my terraform plan as json and referencing it with the scan-ref option but no luck (the action doesn't look in the correct directory....it doesn't honor the working-directory workflow attribute).

[nikpivkin]

@simar7 I found another problem. Modules are parsed in alphabetical order of their names. This can cause a module to not have access to the output variables of another module if it is parsed first. Because of this, the for_each and count meta-arguments will not be evaluated, and the dynamic block will not be expanded if those variables are used.

Here's an example:
main.tf

module "module1" {
  source = "./modules/module1"
}
module "module2" {
  source   = "./modules/module2"
  test_var = module.module1.test_out
}

./modules/module2

variable "test_var" {}
resource "test_resource" "this" {
  dynamic "dynamic_block" {
    for_each = [var.test_var]
    content {
      some_attr = dynamic_block.value
    }
  }
}

Block dynamic will be expanded in this case.

But if I rename module2 to module1 and module1 to module2, then the block is not expanded.

module "module2" {
  source = "./modules/module1"
}
module "module1" {
  source   = "./modules/module2"
  test_var = module.module2.test_out
}