EIP is associated with NAT gateway generated with Terraform vpc module 2.70.0 but still it throws CKV2_AWS_19 as failed check #1567
Comments
|
@nisargtk I think the issue is connected with the complicated way the module determines the IP address to allocate to the NAT Gateway. In the NAT Gateway resource: resource "aws_nat_gateway" "this" {
count = local.create_vpc && var.enable_nat_gateway ? local.nat_gateway_count : 0
allocation_id = element(
local.nat_gateway_ips,
var.single_nat_gateway ? 0 : count.index,
)Then the locals {
nat_gateway_ips = var.reuse_nat_ips ? var.external_nat_ip_ids : try(aws_eip.nat[*].id, [])
}So there are two level of expression abstraction used to get the "expressions": {
"allocation_id": {
"references": [
"local.nat_gateway_ips",
"var.single_nat_gateway",
"count.index"
]@schosterbarak Probably not a "good first issue" :) |
|
Thanks for contributing to Checkov! We've automatically marked this issue as stale to keep our issues list tidy, because it has not had any activity for 6 months. It will be closed in 14 days if no further activity occurs. Commenting on this issue will remove the stale tag. If you want to talk through the issue or help us understand the priority and context, feel free to add a comment or join us in the Checkov slack channel at https://slack.bridgecrew.io |
|
Closing issue due to inactivity. If you feel this is in error, please re-open, or reach out to the community via slack: https://slack.bridgecrew.io Thanks! |
Describe the bug
EIP is associated with NAT gateway generated with Terraform vpc module 2.70.0 but still it throws CKV2_AWS_19 as failed check
To Reproduce
Create vpc with terraform vpc code( sample code as below) . It allocates an EIP and create NAT gateway and associate EIP with it but checkov scan shows failed CKV2_AWS_19 : "Ensure that all EIP addresses allocated to a VPC are attached to EC2 instances"
module "vpc" {
source = "terraform-aws-modules/vpc/aws"
version = "2.70.0"
cidr = var.vpc_cidr
name = upper(local.name)
azs = var.vpc_azs
public_subnets = var.public_subnets
private_subnets = var.private_subnets
database_subnets = var.database_subnets
elasticache_subnets = var.elasticache_subnets
enable_nat_gateway = true
map_public_ip_on_launch = false
one_nat_gateway_per_az = false
single_nat_gateway = true
tags = local.tags
elasticache_subnet_suffix = "eventstore"
database_dedicated_network_acl = true
manage_default_security_group = true
default_security_group_egress = []
default_security_group_ingress = []
public_dedicated_network_acl = true
private_dedicated_network_acl = true
elasticache_dedicated_network_acl = true
enable_dns_hostnames = true
enable_dns_support = true
enable_s3_endpoint = true
enable_secretsmanager_endpoint = true
secretsmanager_endpoint_private_dns_enabled = true
secretsmanager_endpoint_security_group_ids = [module.vpc_endpoint_sg.this_security_group_id]
}
Expected behavior
EIP is associated to NAT gateway so checkov scan CKV2_AWS_19 shouldn't be failed.
Screenshots
checkov version : 2.0.375
Additional context
Add any other context about the problem here (e.g. code snippets).
The text was updated successfully, but these errors were encountered: